Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

trivial-builders: disallow sub in requireFile #42637

Merged
merged 1 commit into from Jun 27, 2018
Merged

trivial-builders: disallow sub in requireFile #42637

merged 1 commit into from Jun 27, 2018

Conversation

matthewbauer
Copy link
Member

@matthewbauer matthewbauer commented Jun 27, 2018
edited

The requireFile call was being substituted from the binary cache. We
do not want this to happen as the user needs to download the file
themselves.

Note that there is stil an issue where nix-serve can provide these files if you request them.

@matthewbauer
trivial-builders: disallow sub in requireFile
f194659 
The requireFile call was being substituted from the binary cache. We
do not want this to happen as the user needs to download the file
themselves.
@xeji xeji merged commit 4e9b191 into NixOS:master Jun 27, 2018
@matthewbauer matthewbauer deleted the disallow-substitutes-requirefile branch June 27, 2018 21:00
eadwu added a commit to eadwu/nixos-configuration that referenced this pull request Apr 10, 2020
@eadwu
sddm: sugar-dark: allow substitutes to be used
953304c 
So file can be downloaded from a binary cache
See NixOS/nixpkgs#42637
@layus
Copy link
Member

layus commented Sep 12, 2022

In the same fashion as @eadwu in eadwu/nixos-configuration@953304c I disabled this "feature" with an overlay

final: prev: { 
  requireFile = args: (prev.requireFile args).overrideAttrs (_: { allowSubstitutes = true; });
})

I question the need for allowSubstitutes = false; here. Surely, if the file cannot and should not be downloaded automatically, it should never land in binary caches. I would argue that this setup creates confusion above anything else. Because when the path is in the cache, it can still be substituted with nix-store --realise /the/path anyway. AFAIK, we have no way to prevent anyone from downloading a file from a binary cache, we just have to ensure that it is no sent there at all.

@layus
Copy link
Member

layus commented Sep 12, 2022

Another option is to create a second trivial builder with a different name to disambiguate the semantics. requireFile can be very useful as a way to describe a file that can be obtained from a binary cache only, because it was built non-reproducibly by some user of the system. (I know it is not an ideal setup, but it is handy sometimes, if not the only option). requireFile name does not carry the meaning that nix is not allowed to fetch it for you.

@wucke13
Copy link
Contributor

wucke13 commented Nov 9, 2023

I just searched for ~45 minutes looking for the bug in my nix-serve setup. Eventually I found this issue, and a quick overlay fixed the issue.

{
  pkgs = import nixpkgs {
    inherit system;
    overlays = [
      (final: prev: {
        requireFile = args: (prev.requireFile args).overrideAttrs (_: { allowSubstitutes = true; });
      })
    ];
  };
}

I'm strongly in favour of fixing this upstream, the current behavior is just surprising in a bad, potentially time wasting way.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
10.rebuild-darwin: 0 10.rebuild-linux: 0
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
5 participants
@matthewbauer @layus @wucke13 @GrahamcOfBorg @xeji