Rethink netrc/auth-helping handling: multiple netrcs? protocol auth-helping support? #254
Labels
No labels
Affects/CppNix
Affects/Nightly
Affects/Only nightly
Affects/Stable
Area/build-packaging
Area/cli
Area/evaluator
Area/fetching
Area/flakes
Area/language
Area/lix ci
Area/nix-eval-jobs
Area/profiles
Area/protocol
Area/releng
Area/remote-builds
Area/repl
Area/repl/debugger
Area/store
bug
Context
contributors
Context
drive-by
Context
maintainers
Context
RFD
crash 💥
Cross Compilation
devx
docs
Downstream Dependents
E/easy
E/hard
E/help wanted
E/reproducible
E/requires rearchitecture
imported
Language/Bash
Language/C++
Language/NixLang
Language/Python
Language/Rust
Needs Langver
OS/Linux
OS/macOS
performance
regression
release-blocker
stability
Status
blocked
Status
invalid
Status
postponed
Status
wontfix
testing
testing/flakey
Topic/Large Scale Installations
ux
No milestone
No project
No assignees
1 participant
Notifications
Due date
No due date set.
Dependencies
No dependencies set.
Reference: lix-project/lix#254
Loading…
Add table
Add a link
Reference in a new issue
No description provided.
Delete branch "%!s()"
Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?
The behaviour of Lix with respect to fetching things in a manner that uses the netrc is confusing. In particular, the following works (on a currently auth requiring repo):
However~! This is because Lix shells out to
git
as the calling user, which then reads~/.netrc
. Lix itself completely ignores~/.netrc
by default, which is surprising to this creature at least.Thus, by default this does not work if only
~/.netrc
is configured (assuming this requires auth):A fix is to set
netrc-file
for the calling user, but then if the daemon needs the netrc for a build of abuiltin:fetchurl
derivation, that doesn't work.We know of attempts upstream to do credential helping via the protocol, but we don't really like the approach (i.e. forwarding the ssh agent to the daemon), since it introduces somewhat concerning attack surface by exposing the entire ssh agent protocol of ssh processes running as root to the user, which was not the case in the past.
Realistically fixing this cleanly requires a protocol rearchitecture to natively support credential-helping through the client side process, which is a priority for us but is somewhat distant.