Skip to content

Comments

libstore: fixup fakeSSH check#14150

Merged
xokdvium merged 1 commit intoNixOS:masterfrom
cole-h:fixup-fakessh-check
Oct 3, 2025
Merged

libstore: fixup fakeSSH check#14150
xokdvium merged 1 commit intoNixOS:masterfrom
cole-h:fixup-fakessh-check

Conversation

@cole-h
Copy link
Member

@cole-h cole-h commented Oct 3, 2025

This broke invocations like:

NIX_SSHOPTS='-p2222 -oUserKnownHostsFile=/dev/null -oStrictHostKeyChecking=no' nix copy /nix/store/......-foo --to ssh-ng://root@localhost

In Nix 2.30.2, fakeSSH was enabled when the "thing I want to connect to" was plain old "localhost". Previously, this check was written as:

     , fakeSSH(host == "localhost")

Given the above invocation, host would have been root@localhost, and thus fakeSSH would be false because root@localhost != localhost.

However, since 49ba061, authority.host returned just the host (localhost, no user) and erroneously enabled fakeSSH in this case, causing NIX_SSHOPTS to be ignored (since, when fakeSSH is true, SSHMaster::startCommand doesn't call addCommonSSHOpts).

authority.to_string() accurately returns the expected root@localhost format (given the above invocation), fixing this.

Motivation

Context

Fixes #14148.

Add 👍 to pull requests you find important.

The Nix maintainer team uses a GitHub project board to schedule and track reviews.

@cole-h
libstore: fixup fakeSSH check
7ec1427 
This broke invocations like:

    NIX_SSHOPTS='-p2222 -oUserKnownHostsFile=/dev/null -oStrictHostKeyChecking=no' nix copy /nix/store/......-foo --to ssh-ng://root@localhost

In Nix 2.30.2, fakeSSH was enabled when the "thing I want to connect to"
was plain old "localhost". Previously, this check was written as:

         , fakeSSH(host == "localhost")

Given the above invocation, `host` would have been `root@localhost`, and
thus `fakeSSH` would be `false` because `root@localhost` != `localhost`.

However, since 49ba061, `authority.host`
returned _just_ the host (`localhost`, no user) and erroneously enabled
`fakeSSH` in this case, causing `NIX_SSHOPTS` to be ignored (since,
when `fakeSSH` is `true`, `SSHMaster::startCommand` doesn't call
`addCommonSSHOpts`).

`authority.to_string()` accurately returns the expected `root@localhost`
format (given the above invocation), fixing this.
@cole-h cole-h requested a review from Ericson2314 as a code owner October 3, 2025 19:18
@cole-h cole-h added the backport 2.31-maintenance Automatically creates a PR against the branch label Oct 3, 2025
This was referenced Oct 3, 2025
Merged
Closed
@xokdvium xokdvium merged commit 862c816 into NixOS:master Oct 3, 2025
15 checks passed
@xokdvium xokdvium self-assigned this Oct 3, 2025
@cole-h cole-h deleted the fixup-fakessh-check branch October 3, 2025 19:48
@cole-h cole-h added backport 2.31-maintenance Automatically creates a PR against the branch and removed backport 2.31-maintenance Automatically creates a PR against the branch labels Oct 7, 2025
@cole-h
Copy link
Member Author

cole-h commented Oct 7, 2025

I guess the backport label is broken / doesn't like me 🤷

@xokdvium
Copy link
Contributor

xokdvium commented Oct 7, 2025

@cole-h mergify was dead and we've also reverted to backport action now to support native github merge queues.

@xokdvium xokdvium added backport 2.31-maintenance Automatically creates a PR against the branch and removed backport 2.31-maintenance Automatically creates a PR against the branch labels Oct 7, 2025
@internal-nix-ci
Copy link

internal-nix-ci bot commented Oct 7, 2025

Successfully created backport PR for 2.31-maintenance:

@internal-nix-ci internal-nix-ci bot mentioned this pull request Oct 7, 2025
Merged
philiptaron added a commit to philiptaron/nixpkgs that referenced this pull request Jan 8, 2026
@philiptaron
nixVersions.nix_2_31: 2.31.2 -> 2.31.3
b766136 
## Bug fixes (crashes)

- Fix segfaults from `toView()` when compiled with newer nixpkgs (NixOS/nix#14154)
- Fix use-after-move in `DerivationGoal::repairClosure` and `SampleStack` (NixOS/nix#14086)
- Fix assertion failure on partially valid derivation outputs (NixOS/nix#14137)
- Fix `RestrictedStore::addDependency` recursion causing crashes (NixOS/nix#14729)
- Fix crash on flakerefs containing newlines (NixOS/nix#14450)

## Bug fixes (functionality)

- Fix fakeSSH check breaking SSH copies with `user@host` format (NixOS/nix#14150)
- Fix `builtins.dirOf` regression from Nix 2.23 (NixOS/nix#14515)
- Restore missing `isAllowed` check in `ChrootLinuxDerivationBuilder` (NixOS/nix#14531)
- Fix curl with c-ares failing to resolve DNS in sandbox on macOS (NixOS/nix#14792)
- Fix tarball percent decoding for `file://` URIs (NixOS/nix#14729)
- `exportReferencesGraph`: Handle heterogeneous arrays (NixOS/nix#13861)
- Fix filesystem ops in store optimization (NixOS/nix#14676)

## Bug fixes (output)

- Fix double-quoting of paths in logs (NixOS/nix#14210)
- Include path in world-writable error messages (NixOS/nix#14785)

## Improvements

- Better git refnames validation (NixOS/nix#14253)
- Use pure/restricted eval for help pages (NixOS/nix#14156)
- Improve store-reference compatibility with IPv6 ZoneId literals (NixOS/nix#14134)
- Correct `build-dir` error in manual (NixOS/nix#14745)

## Build system

- Add mdbook 0.5 support (NixOS/nix#14690)
- Drop legacy Apple SDK pattern (NixOS/nix#13976)

https://github.com/NixOS/nix/releases/tag/2.31.3
philiptaron added a commit to philiptaron/nixpkgs that referenced this pull request Jan 8, 2026
@philiptaron
nixVersions.nix_2_31: 2.31.2 -> 2.31.3
beb3263 
Changelog of fixes:

## Bug fixes (crashes)

- Fix segfaults from `toView()` when compiled with newer nixpkgs (NixOS/nix#14154)
- Fix use-after-move in `DerivationGoal::repairClosure` and `SampleStack` (NixOS/nix#14086)
- Fix assertion failure on partially valid derivation outputs (NixOS/nix#14137)
- Fix `RestrictedStore::addDependency` recursion causing crashes (NixOS/nix#14729)
- Fix crash on flakerefs containing newlines (NixOS/nix#14450)

## Bug fixes (functionality)

- Fix fakeSSH check breaking SSH copies with `user@host` format (NixOS/nix#14150)
- Fix `builtins.dirOf` regression from Nix 2.23 (NixOS/nix#14515)
- Restore missing `isAllowed` check in `ChrootLinuxDerivationBuilder` (NixOS/nix#14531)
- Fix curl with c-ares failing to resolve DNS in sandbox on macOS (NixOS/nix#14792)
- Fix tarball percent decoding for `file://` URIs (NixOS/nix#14729)
- `exportReferencesGraph`: Handle heterogeneous arrays (NixOS/nix#13861)
- Fix filesystem ops in store optimization (NixOS/nix#14676)

## Bug fixes (output)

- Fix double-quoting of paths in logs (NixOS/nix#14210)
- Include path in world-writable error messages (NixOS/nix#14785)

## Improvements

- Better git refnames validation (NixOS/nix#14253)
- Use pure/restricted eval for help pages (NixOS/nix#14156)
- Improve store-reference compatibility with IPv6 ZoneId literals (NixOS/nix#14134)
- Correct `build-dir` error in manual (NixOS/nix#14745)

## Build system

- Add mdbook 0.5 support (NixOS/nix#14690)
- Drop legacy Apple SDK pattern (NixOS/nix#13976)

https://github.com/NixOS/nix/releases/tag/2.31.3
@philiptaron philiptaron mentioned this pull request Jan 8, 2026
Merged
13 tasks
philiptaron added a commit to philiptaron/nixpkgs that referenced this pull request Jan 15, 2026
@philiptaron
nixVersions.nix_2_31: 2.31.2 -> 2.31.3
a4ef4c1 
Changelog of fixes:

## Bug fixes (crashes)

- Fix segfaults from `toView()` when compiled with newer nixpkgs (NixOS/nix#14154)
- Fix use-after-move in `DerivationGoal::repairClosure` and `SampleStack` (NixOS/nix#14086)
- Fix assertion failure on partially valid derivation outputs (NixOS/nix#14137)
- Fix `RestrictedStore::addDependency` recursion causing crashes (NixOS/nix#14729)
- Fix crash on flakerefs containing newlines (NixOS/nix#14450)

## Bug fixes (functionality)

- Fix fakeSSH check breaking SSH copies with `user@host` format (NixOS/nix#14150)
- Fix `builtins.dirOf` regression from Nix 2.23 (NixOS/nix#14515)
- Restore missing `isAllowed` check in `ChrootLinuxDerivationBuilder` (NixOS/nix#14531)
- Fix curl with c-ares failing to resolve DNS in sandbox on macOS (NixOS/nix#14792)
- Fix tarball percent decoding for `file://` URIs (NixOS/nix#14729)
- `exportReferencesGraph`: Handle heterogeneous arrays (NixOS/nix#13861)
- Fix filesystem ops in store optimization (NixOS/nix#14676)

## Bug fixes (output)

- Fix double-quoting of paths in logs (NixOS/nix#14210)
- Include path in world-writable error messages (NixOS/nix#14785)

## Improvements

- Better git refnames validation (NixOS/nix#14253)
- Use pure/restricted eval for help pages (NixOS/nix#14156)
- Improve store-reference compatibility with IPv6 ZoneId literals (NixOS/nix#14134)
- Correct `build-dir` error in manual (NixOS/nix#14745)

## Build system

- Add mdbook 0.5 support (NixOS/nix#14690)
- Drop legacy Apple SDK pattern (NixOS/nix#13976)

https://github.com/NixOS/nix/releases/tag/2.31.3
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@xokdvium xokdvium xokdvium approved these changes

@Ericson2314 Ericson2314 Awaiting requested review from Ericson2314 Ericson2314 is a code owner

Assignees

@xokdvium xokdvium

Labels

backport 2.31-maintenance Automatically creates a PR against the branch

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

NIX_SSHOPTS is broken for localhost (but not 127.0.0.1) since Nix 2.31.0

2 participants

@cole-h @xokdvium