max/nix-super
1
0
Fork 0
mirror of https://github.com/privatevoid-net/nix-super.git synced 2024-11-22 14:06:16 +02:00
Code Issues Projects Releases Packages Wiki Activity Actions

Merge pull request #10340 from edolstra/trust-github

Browse source 
Add trust-tarballs-from-git-forges setting
This commit is contained in:
Théophane Hufschmitt 2024-04-02 16:08:57 +02:00 committed by GitHub
commit 29c3e4f580
No known key found for this signature in database
GPG key ID: B5690EEEBB952194
3 changed files with 25 additions and 3 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

17
src/libfetchers/fetch-settings.hh
View file

@ -78,7 +78,6 @@ struct FetchSettings : public Config
)", )",
{}, true, Xp::Flakes}; {}, true, Xp::Flakes};
Setting<bool> useRegistries{this, true, "use-registries", Setting<bool> useRegistries{this, true, "use-registries",
"Whether to use flake registries to resolve flake references.", "Whether to use flake registries to resolve flake references.",
{}, true, Xp::Flakes}; {}, true, Xp::Flakes};
@ -94,6 +93,22 @@ struct FetchSettings : public Config
empty, the summary is generated based on the action performed. empty, the summary is generated based on the action performed.
)", )",
{}, true, Xp::Flakes}; {}, true, Xp::Flakes};
Setting<bool> trustTarballsFromGitForges{
this, true, "trust-tarballs-from-git-forges",
R"(
If enabled (the default), Nix will consider tarballs from
GitHub and similar Git forges to be locked if a Git revision
is specified,
e.g. `github:NixOS/patchelf/7c2f768bf9601268a4e71c2ebe91e2011918a70f`.
This requires Nix to trust that the provider will return the
correct contents for the specified Git revision.
If disabled, such tarballs are only considered locked if a
`narHash` attribute is specified,
e.g. `github:NixOS/patchelf/7c2f768bf9601268a4e71c2ebe91e2011918a70f?narHash=sha256-PPXqKY2hJng4DBVE0I4xshv/vGLUskL7jl53roB8UdU%3D`.
)"};
}; };
// FIXME: don't use a global variable. // FIXME: don't use a global variable.

4
src/libfetchers/github.cc
View file

@ -294,7 +294,9 @@ struct GitArchiveInputScheme : InputScheme
Git revision alone, we also require a NAR hash for Git revision alone, we also require a NAR hash for
locking. FIXME: in the future, we may want to require a Git locking. FIXME: in the future, we may want to require a Git
tree hash instead of a NAR hash. */ tree hash instead of a NAR hash. */
return input.getRev().has_value() && input.getNarHash().has_value(); return input.getRev().has_value()
&& (fetchSettings.trustTarballsFromGitForges ||
input.getNarHash().has_value());
} }
std::optional<ExperimentalFeature> experimentalFeature() const override std::optional<ExperimentalFeature> experimentalFeature() const override

7
tests/nixos/github-flakes.nix
View file

@ -187,9 +187,14 @@ in
client.succeed("nix flake metadata nixpkgs --tarball-ttl 0 >&2") client.succeed("nix flake metadata nixpkgs --tarball-ttl 0 >&2")
# Test fetchTree on a github URL. # Test fetchTree on a github URL.
hash = client.succeed(f"nix eval --raw --expr '(fetchTree {info['url']}).narHash'") hash = client.succeed(f"nix eval --no-trust-tarballs-from-git-forges --raw --expr '(fetchTree {info['url']}).narHash'")
assert hash == info['locked']['narHash'] assert hash == info['locked']['narHash']
# Fetching without a narHash should succeed if trust-github is set and fail otherwise.
client.succeed(f"nix eval --raw --expr 'builtins.fetchTree github:github:fancy-enterprise/private-flake/{info['revision']}'")
out = client.fail(f"nix eval --no-trust-tarballs-from-git-forges --raw --expr 'builtins.fetchTree github:github:fancy-enterprise/private-flake/{info['revision']}' 2>&1")
assert "will not fetch unlocked input" in out, "--no-trust-tarballs-from-git-forges did not fail with the expected error"
# Shut down the web server. The flake should be cached on the client. # Shut down the web server. The flake should be cached on the client.
github.succeed("systemctl stop httpd.service") github.succeed("systemctl stop httpd.service")