-
-
Notifications
You must be signed in to change notification settings - Fork 1.5k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
fetchClosure
: input addressed and pure
#8370
fetchClosure
: input addressed and pure
#8370
Conversation
fetchClosure
: input addressed and pure
6542be8
to
3e3ad34
Compare
Last commit I think warrants additional tests. |
After this PR, I think it would be good to break up the implementation function into multiple functions. We could use a |
This pull request has been mentioned on NixOS Discourse. There might be relevant details there: https://discourse.nixos.org/t/2023-05-19-nix-team-meeting-minutes-56/28446/1 |
This pull request has been mentioned on NixOS Discourse. There might be relevant details there: https://discourse.nixos.org/t/2023-05-22-nix-team-meeting-minutes-57/28447/1 |
3e3ad34
to
879ebb6
Compare
f4c8ee3
to
3bb5c6c
Compare
src/libexpr/primops/fetchClosure.cc
Outdated
If `fromPath` is already content-addressed, or if you are | ||
allowing impure evaluation (`--impure`), then `toPath` may be | ||
omitted. | ||
By rewriting the store paths, you can add the contents to any store without requiring that you or perhaps your users configure any extra trust. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Explanation of trust not entirely in scope for this piece of documentation. New section TBD:
Code looks great now, but do we need more tests and release notes? |
3bb5c6c
to
e7053b9
Compare
I did add a little release note
Does that look ok to you? All I could think of adding is instructions, but I think the linked reference docs should cover that, as well as the error messages.
The basics are covered, but I'll have another look at it. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
The error mechanism is really good, as it's largely self-explanatory! Lots of suggestions to make the wording as clear and concise as possible, I hope they're straightforward to commit if not contentious.
src/libexpr/primops/fetchClosure.cc
Outdated
**Rewriting a store path** | ||
|
||
This first example fetches `/nix/store/r2jd...` from the specified binary cache, | ||
and rewrites it into the content-addressed store path | ||
`/nix/store/ldbh...`. | ||
|
||
If `fromPath` is already content-addressed, or if you are | ||
allowing impure evaluation (`--impure`), then `toPath` may be | ||
omitted. | ||
By rewriting the store paths, you can add the contents to any store without requiring that you or perhaps your users configure any extra trust. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I'd omit all this. The first example is explained by the line introducing it. Let's not go into recommendations here until we explain trust and that stuff somewhere first. Let's focus on providing the mechanism and showing how it's used.
Sorry I missed the release note: I was reviewing too tired :/. For the tests I might be underestimating how good they were before, but it seems now are more systematic about error checking and thus there are a number of failure modes to test? |
This pull request has been mentioned on NixOS Discourse. There might be relevant details there: https://discourse.nixos.org/t/2023-06-05-nix-team-meeting-minutes-60/28933/1 |
e3b22c3
to
1224fbd
Compare
I'll make this draft and then @roberth can undraft it when I should review it again. |
When explicitly requested by the caller, as suggested in the meeting (NixOS#8090 (comment)) > @edolstra: { toPath } vs { fromPath } is too implicit I've opted for the `inputAddressed = true` requirement, because it we did not agree on renaming the path attributes. > @roberth: more explicit > @edolstra: except for the direction; not immediately clear in which direction the rewriting happens This is in fact the most explicit syntax and a bit redundant, which is good, because that redundancy lets us deliver an error message that reminds expression authors that CA provides a better experience to their users.
A single variable is nice and self-contained.
Co-authored-by: Valentin Gagarin <valentin.gagarin@tweag.io>
We should check error messages, so that we know the command fails for the right reason. Alternatively, a mere typo can run the test undetected.
1224fbd
to
fefb947
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
The other comments about moving the example explanations into the examples still apply.
Co-authored-by: Valentin Gagarin <valentin.gagarin@tweag.io>
Done. They are now interleaved with the docs that describe those invocations; no more "overview" means less switching between the three "use cases" and less repetition. You can still get the overview by looking at just the headers and/or just the examples. |
940e9c9
to
9fc82de
Compare
Motivation
Input addressed binary dependencies are not impure, so requiring
--impure
for them would open users up to actual impurities, which is counterproductive. Instead, we accept the fact that a trusted key may be required, but we do remind expression authors that CA does not require this.Context
Follow-up to #8090 (comment)
Checklist for maintainers
Maintainers: tick if completed or explain if not relevant
tests/**.sh
src/*/tests
tests/nixos/*
Priorities
Add 👍 to pull requests you find important.