`fetchGit` with a rev is pure, but not available in restricted mode without a sha

[michaelpj]

builtins.fetchGit is considered to be a pure derivation when it has a revision. But counterintutively (to me at least), it is not available in restricted mode unless it also has a sha, making it a fixed-output derivation (or you put the URL in allowed-uris).

This doesn't make much sense to me. As I understand it, the point of restricted mode is to prevent Hydra from fetching arbitrary things from the network. But we allow this for fixed-output derivations, where the output is pinned down. Why not for fetchGit, where the output is pinned down by a rev?

[domenkozar]

iirc you can use rev as a reference to a tag, which can be force pushed.

[michaelpj]

iirc you can use rev as a reference to a tag, which can be force pushed.

I'd have expected you'd need to use ref for that, surely?

[michaelpj]

And if that's the case, then it shouldn't be considered pure either.

[roberth]

iirc you can use rev as a reference to a tag, which can be force pushed.

If that's the case we can fetch the commit as usual and check that the commit hash equals rev. Doing so will restore purity for these evaluation modes.

[edolstra]

@michaelpj I can't reproduce. This works:

$ nix eval '(builtins.fetchGit { url = https://github.com/NixOS/patchelf.git; rev = "2ba64817ec6f3b714503ea6e6aa8439505bb7393"; })' --restrict-eval --allowed-uris https://github.com
{ outPath = "/nix/store/ad7c8h6bd8xr0pg2qll0npinjpb360m0-source"; rev = "2ba64817ec6f3b714503ea6e6aa8439505bb7393"; revCount = 339; shortRev = "2ba6481"; }

BTW I'm thinking about removing allowed-uris since it's kind of a pointless feature. The new fetchers don't enforce it anymore.

[michaelpj]

Sorry, I should have clarified, this is without allowed-uris. Admittedly, it is then fetching something outside of allowed-uris, but we allow this for fixed-output derivations, and I'm arguing that fetchGit with a rev should be treated like a fixed-output-derivation.

[michaelpj]

WRT getting rid of allowed-uris or restricted evaluation mode: my real usecase is just that I want to do this on hydra, so it would be nice if it worked under whatever conditions hydra enforces after getting rid of allowed-uris. e.g. if hydra enforced` pure mode, that would work fine.

[stale]

I marked this as stale due to inactivity. → More info

[nixos-discourse]

This issue has been mentioned on NixOS Discourse. There might be relevant details there:

https://discourse.nixos.org/t/how-do-language-tools-that-use-import-from-derivation-ifd-work/14003/2

[roberth]

While conceptually the premise of this issue is correct, the current implementation is not actually reproducible because of the bad git clean/smudge filter handling. See #4635 for a partial fix.

[stale]

I marked this as stale due to inactivity. → More info