mirror of
https://github.com/NixOS/nix.git
synced 2024-10-31 06:10:59 +00:00
Merge pull request #10340 from edolstra/trust-github
Add trust-tarballs-from-git-forges setting
This commit is contained in:
commit
29c3e4f580
@ -78,7 +78,6 @@ struct FetchSettings : public Config
|
||||
)",
|
||||
{}, true, Xp::Flakes};
|
||||
|
||||
|
||||
Setting<bool> useRegistries{this, true, "use-registries",
|
||||
"Whether to use flake registries to resolve flake references.",
|
||||
{}, true, Xp::Flakes};
|
||||
@ -94,6 +93,22 @@ struct FetchSettings : public Config
|
||||
empty, the summary is generated based on the action performed.
|
||||
)",
|
||||
{}, true, Xp::Flakes};
|
||||
|
||||
Setting<bool> trustTarballsFromGitForges{
|
||||
this, true, "trust-tarballs-from-git-forges",
|
||||
R"(
|
||||
If enabled (the default), Nix will consider tarballs from
|
||||
GitHub and similar Git forges to be locked if a Git revision
|
||||
is specified,
|
||||
e.g. `github:NixOS/patchelf/7c2f768bf9601268a4e71c2ebe91e2011918a70f`.
|
||||
This requires Nix to trust that the provider will return the
|
||||
correct contents for the specified Git revision.
|
||||
|
||||
If disabled, such tarballs are only considered locked if a
|
||||
`narHash` attribute is specified,
|
||||
e.g. `github:NixOS/patchelf/7c2f768bf9601268a4e71c2ebe91e2011918a70f?narHash=sha256-PPXqKY2hJng4DBVE0I4xshv/vGLUskL7jl53roB8UdU%3D`.
|
||||
)"};
|
||||
|
||||
};
|
||||
|
||||
// FIXME: don't use a global variable.
|
||||
|
@ -294,7 +294,9 @@ struct GitArchiveInputScheme : InputScheme
|
||||
Git revision alone, we also require a NAR hash for
|
||||
locking. FIXME: in the future, we may want to require a Git
|
||||
tree hash instead of a NAR hash. */
|
||||
return input.getRev().has_value() && input.getNarHash().has_value();
|
||||
return input.getRev().has_value()
|
||||
&& (fetchSettings.trustTarballsFromGitForges ||
|
||||
input.getNarHash().has_value());
|
||||
}
|
||||
|
||||
std::optional<ExperimentalFeature> experimentalFeature() const override
|
||||
|
@ -187,9 +187,14 @@ in
|
||||
client.succeed("nix flake metadata nixpkgs --tarball-ttl 0 >&2")
|
||||
|
||||
# Test fetchTree on a github URL.
|
||||
hash = client.succeed(f"nix eval --raw --expr '(fetchTree {info['url']}).narHash'")
|
||||
hash = client.succeed(f"nix eval --no-trust-tarballs-from-git-forges --raw --expr '(fetchTree {info['url']}).narHash'")
|
||||
assert hash == info['locked']['narHash']
|
||||
|
||||
# Fetching without a narHash should succeed if trust-github is set and fail otherwise.
|
||||
client.succeed(f"nix eval --raw --expr 'builtins.fetchTree github:github:fancy-enterprise/private-flake/{info['revision']}'")
|
||||
out = client.fail(f"nix eval --no-trust-tarballs-from-git-forges --raw --expr 'builtins.fetchTree github:github:fancy-enterprise/private-flake/{info['revision']}' 2>&1")
|
||||
assert "will not fetch unlocked input" in out, "--no-trust-tarballs-from-git-forges did not fail with the expected error"
|
||||
|
||||
# Shut down the web server. The flake should be cached on the client.
|
||||
github.succeed("systemctl stop httpd.service")
|
||||
|
||||
|
Loading…
Reference in New Issue
Block a user