Build IFD in the build store when using eval-store.

Previously, IFDs would be built within the eval store, even though one
is typically using `--eval-store` precisely to *avoid* local builds.

Because the resulting Nix expression must be copied back to the eval
store in order to be imported, this requires the eval store to trust
the build store's signatures.

(cherry picked from commit c3942ef85ffbd83391410fbf012f1de366d2463c)
This commit is contained in:
Shea Levy 2023-12-23 21:26:12 -05:00
parent be208d8e78
commit e7c2b35827
No known key found for this signature in database
GPG key ID: 5C0BD6957D86FE27
2 changed files with 24 additions and 8 deletions

View file

@ -82,16 +82,15 @@ StringMap EvalState::realiseContext(const NixStringContext & context)
/* Build/substitute the context. */ /* Build/substitute the context. */
std::vector<DerivedPath> buildReqs; std::vector<DerivedPath> buildReqs;
for (auto & d : drvs) buildReqs.emplace_back(DerivedPath { d }); for (auto & d : drvs) buildReqs.emplace_back(DerivedPath { d });
store->buildPaths(buildReqs); buildStore->buildPaths(buildReqs, bmNormal, store);
StorePathSet outputsToCopyAndAllow;
for (auto & drv : drvs) { for (auto & drv : drvs) {
auto outputs = resolveDerivedPath(*store, drv); auto outputs = resolveDerivedPath(*buildStore, drv, &*store);
for (auto & [outputName, outputPath] : outputs) { for (auto & [outputName, outputPath] : outputs) {
/* Add the output of this derivations to the allowed outputsToCopyAndAllow.insert(outputPath);
paths. */
if (allowedPaths) {
allowPath(outputPath);
}
/* Get all the output paths corresponding to the placeholders we had */ /* Get all the output paths corresponding to the placeholders we had */
if (experimentalFeatureSettings.isEnabled(Xp::CaDerivations)) { if (experimentalFeatureSettings.isEnabled(Xp::CaDerivations)) {
res.insert_or_assign( res.insert_or_assign(
@ -100,12 +99,21 @@ StringMap EvalState::realiseContext(const NixStringContext & context)
.drvPath = drv.drvPath, .drvPath = drv.drvPath,
.output = outputName, .output = outputName,
}).render(), }).render(),
store->printStorePath(outputPath) buildStore->printStorePath(outputPath)
); );
} }
} }
} }
if (store != buildStore) copyClosure(*buildStore, *store, outputsToCopyAndAllow);
if (allowedPaths) {
for (auto & outputPath : outputsToCopyAndAllow) {
/* Add the output of this derivations to the allowed
paths. */
allowPath(store->toRealPath(outputPath));
}
}
return res; return res;
} }

View file

@ -28,3 +28,11 @@ nix-build dependencies.nix --eval-store "$eval_store" -o "$TEST_ROOT/result"
[[ -e $TEST_ROOT/result/foobar ]] [[ -e $TEST_ROOT/result/foobar ]]
(! ls $NIX_STORE_DIR/*.drv) (! ls $NIX_STORE_DIR/*.drv)
ls $eval_store/nix/store/*.drv ls $eval_store/nix/store/*.drv
clearStore
rm -rf "$eval_store"
# Confirm that import-from-derivation builds on the build store
[[ $(nix eval --eval-store "$eval_store?require-sigs=false" --impure --raw --file ./ifd.nix) = hi ]]
ls $NIX_STORE_DIR/*dependencies-top/foobar
(! ls $eval_store/nix/store/*dependencies-top/foobar)