From d9ba3385a9aa5ae18fc9310f827cff95f00ce9f3 Mon Sep 17 00:00:00 2001
From: regnat <rg@regnat.ovh>
Date: Fri, 30 Jul 2021 10:34:50 +0200
Subject: [PATCH 1/2] =?UTF-8?q?Don=E2=80=99t=20send=20the=20experimental-f?=
 =?UTF-8?q?eatures=20to=20the=20daemon?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

The experimental features are, well, experimental, and shouldn’t be
carelessly and transparently enabled.
Besides, some (`ca-derivations` at least) need to be enabled at startup
in order to work properly.
So it’s better to just require that daemon be started with the right
`experimental-features` option.

Fix #5017
---
 src/libstore/remote-store.cc | 1 +
 1 file changed, 1 insertion(+)

diff --git a/src/libstore/remote-store.cc b/src/libstore/remote-store.cc
index 140f39120..73f590e7b 100644
--- a/src/libstore/remote-store.cc
+++ b/src/libstore/remote-store.cc
@@ -222,6 +222,7 @@ void RemoteStore::setOptions(Connection & conn)
         overrides.erase(settings.buildCores.name);
         overrides.erase(settings.useSubstitutes.name);
         overrides.erase(loggerSettings.showTrace.name);
+        overrides.erase(settings.experimentalFeatures.name);
         conn.to << overrides.size();
         for (auto & i : overrides)
             conn.to << i.first << i.second.value;

From b2bce915adc6b1290494388b8c73b89c253629fb Mon Sep 17 00:00:00 2001
From: regnat <rg@regnat.ovh>
Date: Mon, 30 Aug 2021 10:39:31 +0200
Subject: [PATCH 2/2] =?UTF-8?q?Don=E2=80=99t=20accept=20experimental=20fea?=
 =?UTF-8?q?tures=20from=20the=20client?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

If the client sends an “experimental features” setting, just ignore it
---
 src/libstore/daemon.cc | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/src/libstore/daemon.cc b/src/libstore/daemon.cc
index d68ff64d7..487416a13 100644
--- a/src/libstore/daemon.cc
+++ b/src/libstore/daemon.cc
@@ -227,6 +227,12 @@ struct ClientSettings
             try {
                 if (name == "ssh-auth-sock") // obsolete
                     ;
+                else if (name == settings.experimentalFeatures.name) {
+                    // We don’t want to forward the experimental features to
+                    // the daemon, as that could cause some pretty weird stuff
+                    if (tokenizeString<Strings>(value) != settings.experimentalFeatures.get())
+                        debug("Ignoring the client-specified experimental features");
+                }
                 else if (trusted
                     || name == settings.buildTimeout.name
                     || name == "connect-timeout"