forked from lix-project/lix
Add option ‘extra-binary-caches’
This allows providing additional binary caches, useful in scripts like Hydra's build reproduction scripts, in particular because untrusted caches are ignored.
This commit is contained in:
parent
cc837e2458
commit
ea019e9a26
|
@ -350,13 +350,25 @@ flag, e.g. <literal>--option gc-keep-outputs false</literal>.</para>
|
||||||
whitespace. These are not used by default, but can be enabled by
|
whitespace. These are not used by default, but can be enabled by
|
||||||
users of the Nix daemon by specifying <literal>--option
|
users of the Nix daemon by specifying <literal>--option
|
||||||
binary-caches <replaceable>urls</replaceable></literal> on the
|
binary-caches <replaceable>urls</replaceable></literal> on the
|
||||||
command line. Daemon users are only allowed to pass a subset of
|
command line. Unprivileged users are only allowed to pass a
|
||||||
the URLs listed in <literal>binary-caches</literal> and
|
subset of the URLs listed in <literal>binary-caches</literal> and
|
||||||
<literal>trusted-binary-caches</literal>.</para></listitem>
|
<literal>trusted-binary-caches</literal>.</para></listitem>
|
||||||
|
|
||||||
</varlistentry>
|
</varlistentry>
|
||||||
|
|
||||||
|
|
||||||
|
<varlistentry><term><literal>extra-binary-caches</literal></term>
|
||||||
|
|
||||||
|
<listitem><para>Additional binary caches appended to those
|
||||||
|
specified in <option>binary-caches</option> and
|
||||||
|
<option>binary-caches-files</option>. When used by unprivileged
|
||||||
|
users, untrusted binary caches (i.e. those not listed in
|
||||||
|
<option>trusted-binary-caches</option>) are silently
|
||||||
|
ignored.</para></listitem>
|
||||||
|
|
||||||
|
</varlistentry>
|
||||||
|
|
||||||
|
|
||||||
<varlistentry><term><literal>binary-caches-parallel-connections</literal></term>
|
<varlistentry><term><literal>binary-caches-parallel-connections</literal></term>
|
||||||
|
|
||||||
<listitem><para>The maximum number of parallel HTTP connections
|
<listitem><para>The maximum number of parallel HTTP connections
|
||||||
|
|
|
@ -208,12 +208,15 @@ sub getAvailableCaches {
|
||||||
push @urls, strToList($url);
|
push @urls, strToList($url);
|
||||||
}
|
}
|
||||||
|
|
||||||
|
push @urls, strToList($Nix::Config::config{"extra-binary-caches"} // "");
|
||||||
|
|
||||||
# Allow Nix daemon users to override the binary caches to a subset
|
# Allow Nix daemon users to override the binary caches to a subset
|
||||||
# of those listed in the config file. Note that ‘untrusted-*’
|
# of those listed in the config file. Note that ‘untrusted-*’
|
||||||
# denotes options passed by the client.
|
# denotes options passed by the client.
|
||||||
|
my @trustedUrls = uniq(@urls, strToList($Nix::Config::config{"trusted-binary-caches"} // ""));
|
||||||
|
|
||||||
if (defined $Nix::Config::config{"untrusted-binary-caches"}) {
|
if (defined $Nix::Config::config{"untrusted-binary-caches"}) {
|
||||||
my @untrustedUrls = strToList $Nix::Config::config{"untrusted-binary-caches"};
|
my @untrustedUrls = strToList $Nix::Config::config{"untrusted-binary-caches"};
|
||||||
my @trustedUrls = uniq(@urls, strToList($Nix::Config::config{"trusted-binary-caches"} // ""));
|
|
||||||
@urls = ();
|
@urls = ();
|
||||||
foreach my $url (@untrustedUrls) {
|
foreach my $url (@untrustedUrls) {
|
||||||
die "binary cache ‘$url’ is not trusted (please add it to ‘trusted-binary-caches’ [@trustedUrls] in $Nix::Config::confDir/nix.conf)\n"
|
die "binary cache ‘$url’ is not trusted (please add it to ‘trusted-binary-caches’ [@trustedUrls] in $Nix::Config::confDir/nix.conf)\n"
|
||||||
|
@ -222,6 +225,12 @@ sub getAvailableCaches {
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
|
my @untrustedUrls = strToList $Nix::Config::config{"untrusted-extra-binary-caches"};
|
||||||
|
foreach my $url (@untrustedUrls) {
|
||||||
|
next unless scalar(grep { $url eq $_ } @trustedUrls) > 0;
|
||||||
|
push @urls, $url;
|
||||||
|
}
|
||||||
|
|
||||||
foreach my $url (uniq @urls) {
|
foreach my $url (uniq @urls) {
|
||||||
|
|
||||||
# FIXME: not atomic.
|
# FIXME: not atomic.
|
||||||
|
|
Loading…
Reference in a new issue