From 93f863be9626e5455458abf9e449586270e98163 Mon Sep 17 00:00:00 2001 From: Shea Levy Date: Wed, 8 Mar 2017 08:46:12 -0500 Subject: [PATCH 1/2] Add option to disable import-from-derivation completely, even if the drv is already realized --- src/libexpr/primops.cc | 2 ++ src/libstore/globals.cc | 2 ++ src/libstore/globals.hh | 3 +++ 3 files changed, 7 insertions(+) diff --git a/src/libexpr/primops.cc b/src/libexpr/primops.cc index 5a570cefb..93097f3d1 100644 --- a/src/libexpr/primops.cc +++ b/src/libexpr/primops.cc @@ -59,6 +59,8 @@ void EvalState::realiseContext(const PathSet & context) drvs.insert(decoded.first + "!" + decoded.second); } if (!drvs.empty()) { + if (!settings.enableImportFromDerivation) + throw EvalError(format("attempted to realize ‘%1%’ during evaluation but 'allow-import-from-derivation' is false") % *(drvs.begin())); /* For performance, prefetch all substitute info. */ PathSet willBuild, willSubstitute, unknown; unsigned long long downloadSize, narSize; diff --git a/src/libstore/globals.cc b/src/libstore/globals.cc index fcd634729..df537a512 100644 --- a/src/libstore/globals.cc +++ b/src/libstore/globals.cc @@ -70,6 +70,7 @@ Settings::Settings() enableImportNative = false; netrcFile = fmt("%s/%s", nixConfDir, "netrc"); caFile = getEnv("NIX_SSL_CERT_FILE", getEnv("SSL_CERT_FILE", "/etc/ssl/certs/ca-certificates.crt")); + enableImportFromDerivation = true; } @@ -185,6 +186,7 @@ void Settings::update() _get(keepGoing, "keep-going"); _get(keepFailed, "keep-failed"); _get(netrcFile, "netrc-file"); + _get(enableImportFromDerivation, "allow-import-from-derivation"); } diff --git a/src/libstore/globals.hh b/src/libstore/globals.hh index 1e6b7c083..7a9a9f6c0 100644 --- a/src/libstore/globals.hh +++ b/src/libstore/globals.hh @@ -198,6 +198,9 @@ struct Settings { /* Path to the SSL CA file used */ Path caFile; + /* Whether we allow import-from-derivation */ + bool enableImportFromDerivation; + private: SettingsMap settings, overrides; From 5f831c10574ae7ec44d0d357a6a371ac55d00593 Mon Sep 17 00:00:00 2001 From: Shea Levy Date: Wed, 8 Mar 2017 09:12:03 -0500 Subject: [PATCH 2/2] Add docs for allow-import-from-derivation --- doc/manual/command-ref/conf-file.xml | 10 ++++++++++ 1 file changed, 10 insertions(+) diff --git a/doc/manual/command-ref/conf-file.xml b/doc/manual/command-ref/conf-file.xml index 96f8a4b60..b1b604100 100644 --- a/doc/manual/command-ref/conf-file.xml +++ b/doc/manual/command-ref/conf-file.xml @@ -644,6 +644,16 @@ password my-password + allow-import-from-derivation + + By default, nix allows you to import from a derivation, + allowing building at evaluation time. With this option set to false, nix will throw an error + when evaluating an expression that uses this feature, allowing users to ensure their evaluation + will not require any builds to take place. + + + +