nixos/nix-daemon: default nix.useSandbox to true.
#44190
Conversation
|
Related NixOS/nix#179 |
|
Would be really nice if this could make it into 18.09. |
| @@ -127,7 +127,7 @@ in | |||
|
|
|||
| useSandbox = mkOption { | |||
| type = types.either types.bool (types.enum ["relaxed"]); | |||
| default = false; | |||
| default = true; | |||
| description = " | |||
| If set, Nix will perform builds in a sandboxed environment that it | |||
| will set up automatically for each build. This prevents impurities | |||
There was a problem hiding this comment.
"This isn't enabled by default" below should be updated (if this is making it in)
There was a problem hiding this comment.
Thanks! I updated the change.
andir
force-pushed
the
nixos/default-enable-sandboxing
branch
from
3da4ce4
to
c2401c1
Compare
| the initial setup time of a sandbox for each build. It doesn't affect | ||
| derivation hashes, so changing this option will not trigger a rebuild | ||
| of packages. | ||
| This is enabled by default even thought it has a possible performance |
andir
force-pushed
the
nixos/default-enable-sandboxing
branch
from
c2401c1
to
4f6df27
Compare
|
Judging by the amount of 👍 reactions to the initial post there seems to be a broad base of support for this. I did read through the other issue and I can not come up with a reason why someone knowledgeable wouldn't just turn it off if it really bothers them... |
| </listitem> | ||
| </listitem> | ||
| <listitem> | ||
| <para>The module option <option>nix.useSandbox</option> is now defaulted to <literal>true</literal>. |
There was a problem hiding this comment.
I got the following error:
release-notes/rl-1809.xml:376: parser error : Opening and ending tag mismatch: para line 375 and itemizedlist
</itemizedlist>
^
release-notes/rl-1809.xml:377: parser error : Opening and ending tag mismatch: listitem line 374 and section
</section>
^
release-notes/rl-1809.xml:378: parser error : Opening and ending tag mismatch: itemizedlist line 167 and section
</section>
^
release-notes/rl-1809.xml:379: parser error : Premature end of data in tag section line 160
^
release-notes/rl-1809.xml:379: parser error : Premature end of data in tag section line 1
^
release-notes/release-notes.xml:11: element include: XInclude error : could not load release-notes/rl-1809.xml, and no fallback was found
It needs closing tags </para></listitem>.
|
iirc the reason it was disabled by default for nixos in particular is that nixos involves many trivial builds (unit files and such), where the startup cost can increase the build time by a significant factor. Still I'm fully 👍 on this change! |
Motivation for this change
After some discussions on IRC we thought that enabling sanboxing per default might be a good idea. The initial concern was the comment about a performance penalty when using sandboxing. The penalty is supposedly only significant during the startup of build. IMHO the gained level of security does warrant the extra bit of slowness.
Please leave you opinions here.
There was a recent rephrasing of the
descriptionof said option with f098e60. It would be great to know if that also originated from thoughts of enabling it. (CC @LnL7 @bbarker)CC those people involved in the discussion on IRC: @manveru @cleverca22
CC some of the people that might know more about the impact: @edolstra @LnL7 @grahamc