nix-daemon: allow more safe settings by "untrusted" users. #3037
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
These options are mostly selected based on my usage
and judging each to only change "superficial" properties
of the build or output printed.
I particularly find it useful to ask builds to only
use remote builders (when on laptop, esp battery),
hence the
--max-jobs 0
whitelisting.TTL settings can be useful when debugging either
a build cache (mostly forcing re-fetching)
or fetching latest copy of a URL such as
https://github.com/NixOS/nixpkgs/archive/master.tar.gz
(most commonly I used this to ensure my NixOps deployments
use latest version of branch they're pointed at, for
faster/sane change/deploy cycles).
I think setting
show-trace
is safe,assuming the eval is performed by the user
and so any increased memory usage is theirs.
I don't think we are concerned about tracing
exposing (or being disabled to "hide") information
from untrusted users, but LMK if that's not right.
In the future it might be nice to add alias options
--remote-only
or--local-only
or something,but for now don't reject the current method for
requesting the behavior.