You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Is your feature request related to a problem? Please describe.
Import From Derivation is not allowed in flakes that are indexed by search.nixos.org. This choice was made out of necessity, because building arbitrary stuff from the internet is a bad idea for security, and it'd slow things down.
For search to pull this off, it needs changes in Nix.
Describe the solution you'd like
Most open source projects come with a cache that's used for CI and/or development. This means that the derivations to build are often available somewhere. Performing arbitrary substitution is perhaps even worse for security, but we don't have to substitute. Outputs read in IFD are generally small single store paths with no dependencies. Instead of substituting those, we could read those paths directly from the remote store, thus avoiding the incorrect trust implied by substitution of an input addressed output.
Describe alternatives you've considered
Shouldn't -j 0 and an eval store achieve the same? The eval store could be single use or a persistent cache. Maybe have a store parameter to remove all the executable file flags?
Let flakes push their metadata to an API. This seems like a rather heavy weight solution.
Is your feature request related to a problem? Please describe.
Import From Derivation is not allowed in flakes that are indexed by search.nixos.org. This choice was made out of necessity, because building arbitrary stuff from the internet is a bad idea for security, and it'd slow things down.
For search to pull this off, it needs changes in Nix.
Describe the solution you'd like
Most open source projects come with a cache that's used for CI and/or development. This means that the derivations to build are often available somewhere. Performing arbitrary substitution is perhaps even worse for security, but we don't have to substitute. Outputs read in IFD are generally small single store paths with no dependencies. Instead of substituting those, we could read those paths directly from the remote store, thus avoiding the incorrect trust implied by substitution of an input addressed output.
Describe alternatives you've considered
Shouldn't
-j 0
and an eval store achieve the same? The eval store could be single use or a persistent cache. Maybe have a store parameter to remove all the executable file flags?Let flakes push their metadata to an API. This seems like a rather heavy weight solution.
Additional context
Priorities
Add 👍 to issues you find important.
The text was updated successfully, but these errors were encountered: