@edolstra @rbvermaa Can we please get a maintenance release with this in it? This will allow us to actually secure our configs...

+1

@shlevy hmm... this doesn't work. It looks like the netrc is not being picked up (neither in the default location /etc/nix/netrc, nor in some other manually specified path).

master, on the other hand, is still working correctly.

@k0001 Did you patch your daemon?

Ah, I see the issue, one sec

@k0001 Can you try again?

@shlevy now nix-channel --update is working, but nix-build continues to fail due to authentication reasons.

At what stage? Can you share output?

@shlevy check this output from nix-build (in a NixOS host running nix-daemon):

these paths will be fetched (0.00 MiB download, 36.20 MiB unpacked):
  /nix/store/k6bchazxa51633nwpw24n4ns6692bbra-text-1.2.2.1
fetching path ‘/nix/store/k6bchazxa51633nwpw24n4ns6692bbra-text-1.2.2.1’...

*** Downloading ‘https://foo.ren.zone/nar/k6bchazxa51633nwpw24n4ns6692bbra-text-1.2.2.1’ (signed by ‘foo.ren.zone-1’) to ‘/nix/store/k6bchazxa51633nwpw24n4ns6692bbrea-text-1.2.2.1’...
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
  0     0    0     0    0     0      0      0 --:--:--  0:00:02 --:--:--     0
curl: (22) The requested URL returned error: 401 
/nix/store/24il4hylccf35jgfbg8164c122l5ymdd-xz-5.2.2-bin/bin/xz: (stdin): File format not recognized
error: unexpected end-of-file
download of ‘https://foo.ren.zone/nar/k6bchazxa51633nwpw24n4ns6692bbra-text-1.2.2.1’ failed: No such file or directory
could not download ‘/nix/store/k6bchazxa51633nwpw24n4ns6692bbra-text-1.2.2.1’ from any binary cache
fetching path ‘/nix/store/k6bchazxa51633nwpw24n4ns6692bbra-text-1.2.2.1’ failed with exit code 1
error: build of ‘/nix/store/gqjg3gc4rhqxfrkk8fr1arhki92vm9la-text-1.2.2.1.drv’ failed

Trying to manually download that same url using curl --netrc-file /etc/nix/netrc works just fine, which suggests this netrc file is not being picked up by nix.

@k0001 fixed

I'm kind of reluctant to put new features in a maintenance branch.

This is a pretty important security feature and there is no timeline for 1.12 release. Judging by reactions I'm not the only one who wants this...

In general, I think we should either allow some backported features in maintenance branches or new releases must be made more frequently. Doing neither cause frustration.

EDIT: can cause -> cause :-)

Yes 🎉 ! @shlevy this works now! I tried as root, and as normal user, with the default netrc-file location and with some manually specified location, and it all works as expected. Thanks!

@edolstra I don't consider this to be a new feature, but rather a fix to a security flaw present in the current nix stable. Namely, that you can't use a remote binary cache behind HTTP Basic Auth without leaking the user/password to the build logs.

@edolstra @rbvermaa ping

@edolstra @rbvermaa Can we please have this in? We can't insist on our devs using an unstable version of nix but we can't securely use our cache with 1.11...

@edolstra @rbvermaa ping :)

@edolstra We are going to need to maintain a fork of nix if this doesn't get in... I don't understand the hesitation here.

@shlevy, think it's in nix-env -iA nixUnstable -f '<nixpkgs>'

@dmjio Yes, but nix-1.12 is, well, unstable. There have been several issues impeding its adoption for end users. This PR is to backport the change to nix-1.11 and get a new release.

Thanks!!

I thought this would deal with all kinds of URL fetching, but looks like I was wrong. Worked around with NIX_CURL_FLAGS="--netrc-file /path/to/netrc" nix-build ....

EDIT: Fix NIX_CURL_OPTS -> NIX_CURL_FLAGS