New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Remove restricted eval mode #1701
Comments
Will paths obtained with |
Point: this will limit CIs to always only evaluate on linux, which may or may not be desired. |
I marked this as stale due to inactivity. → More info |
I closed this issue due to inactivity. → More info |
This issue has been mentioned on NixOS Discourse. There might be relevant details there: https://discourse.nixos.org/t/what-is-restricted-evaluation-mode-in-nix/26578/1 |
This feature was added to ensure that Hydra jobs don't access files they're not supposed to touch. However, it would be a lot easier and more secure to just have
hydra-eval-jobset
runhydra-eval-jobs
in a mount namespace containing only the input directories.The
allowed-uris
option should be kept though, since that cannot be easily enforced via sandboxing.The text was updated successfully, but these errors were encountered: