Merge pull request #10340 from edolstra/trust-github

Add trust-tarballs-from-git-forges setting
2024-11-22 14:06:16 +02:00 · 2024-04-02 16:08:57 +02:00 · 2024-04-02 16:08:57 +02:00 · 29c3e4f580
commit 29c3e4f580
parent bb5764e578 00ce36fafe
3 changed files with 25 additions and 3 deletions
--- a/src/libfetchers/fetch-settings.hh
+++ b/src/libfetchers/fetch-settings.hh
@ -78,7 +78,6 @@ struct FetchSettings : public Config
        )",
        {}, true, Xp::Flakes};

-
    Setting<bool> useRegistries{this, true, "use-registries",
        "Whether to use flake registries to resolve flake references.",
        {}, true, Xp::Flakes};
@ -94,6 +93,22 @@ struct FetchSettings : public Config
          empty, the summary is generated based on the action performed.
        )",
        {}, true, Xp::Flakes};
+
+    Setting<bool> trustTarballsFromGitForges{
+        this, true, "trust-tarballs-from-git-forges",
+        R"(
+          If enabled (the default), Nix will consider tarballs from
+          GitHub and similar Git forges to be locked if a Git revision
+          is specified,
+          e.g. `github:NixOS/patchelf/7c2f768bf9601268a4e71c2ebe91e2011918a70f`.
+          This requires Nix to trust that the provider will return the
+          correct contents for the specified Git revision.
+
+          If disabled, such tarballs are only considered locked if a
+          `narHash` attribute is specified,
+          e.g. `github:NixOS/patchelf/7c2f768bf9601268a4e71c2ebe91e2011918a70f?narHash=sha256-PPXqKY2hJng4DBVE0I4xshv/vGLUskL7jl53roB8UdU%3D`.
+        )"};
+
 };

 // FIXME: don't use a global variable.
--- a/src/libfetchers/github.cc
+++ b/src/libfetchers/github.cc
@ -294,7 +294,9 @@ struct GitArchiveInputScheme : InputScheme
           Git revision alone, we also require a NAR hash for
           locking. FIXME: in the future, we may want to require a Git
           tree hash instead of a NAR hash. */
-        return input.getRev().has_value() && input.getNarHash().has_value();
+        return input.getRev().has_value()
+            && (fetchSettings.trustTarballsFromGitForges ||
+                input.getNarHash().has_value());
    }

    std::optional<ExperimentalFeature> experimentalFeature() const override
--- a/tests/nixos/github-flakes.nix
+++ b/tests/nixos/github-flakes.nix
@ -187,9 +187,14 @@ in
    client.succeed("nix flake metadata nixpkgs --tarball-ttl 0 >&2")

    # Test fetchTree on a github URL.
-    hash = client.succeed(f"nix eval --raw --expr '(fetchTree {info['url']}).narHash'")
+    hash = client.succeed(f"nix eval --no-trust-tarballs-from-git-forges --raw --expr '(fetchTree {info['url']}).narHash'")
    assert hash == info['locked']['narHash']

+    # Fetching without a narHash should succeed if trust-github is set and fail otherwise.
+    client.succeed(f"nix eval --raw --expr 'builtins.fetchTree github:github:fancy-enterprise/private-flake/{info['revision']}'")
+    out = client.fail(f"nix eval --no-trust-tarballs-from-git-forges --raw --expr 'builtins.fetchTree github:github:fancy-enterprise/private-flake/{info['revision']}' 2>&1")
+    assert "will not fetch unlocked input" in out, "--no-trust-tarballs-from-git-forges did not fail with the expected error"
+
    # Shut down the web server. The flake should be cached on the client.
    github.succeed("systemctl stop httpd.service")