make-squashfs: Hack to avoid building images where nixos-install won't run

https://github.com/NixOS/nixpkgs/issues/32242

1 files changed, 27 insertions, 0 deletions

diff --git a/nixos/lib/make-squashfs.nix b/nixos/lib/make-squashfs.nix
index 4100af27becb..c76c98737412 100644
--- a/nixos/lib/make-squashfs.nix
+++ b/nixos/lib/make-squashfs.nix
@@ -19,6 +19,33 @@ stdenv.mkDerivation {
       # Add the closures of the top-level store objects.
       storePaths=$(perl ${pathsFromGraph} closure-*)
 
+      # If a Hydra slave happens to have store paths with bad permissions/mtime,
+      # abort now so that they don't end up in ISO images in the channel.
+      # https://github.com/NixOS/nixpkgs/issues/32242
+      hasBadPaths=""
+      for path in $storePaths; do
+        if [ -h "$path" ]; then
+          continue
+        fi
+
+        mtime=$(stat -c %Y "$path")
+        mode=$(stat -c %a "$path")
+
+        if [ "$mtime" != 1 ]; then
+          echo "Store path '$path' has an invalid mtime."
+          hasBadPaths=1
+        fi
+        if [ "$mode" != 444 ] && [ "$mode" != 555 ]; then
+          echo "Store path '$path' has invalid permissions."
+          hasBadPaths=1
+        fi
+      done
+
+      if [ -n "$hasBadPaths" ]; then
+        echo "You have bad paths in your store, please fix them."
+        exit 1
+      fi
+
       # Also include a manifest of the closures in a format suitable
       # for nix-store --load-db.
       printRegistration=1 perl ${pathsFromGraph} closure-* > nix-path-registration