nixos/nix-daemon: default nix.useSandbox to true.

NixOS · Jul 29, 2018 · 4f6df27 · 4f6df27
1 parent 6dd7ddd
commit 4f6df27
Show file tree

Hide file tree

Showing 2 changed files with 8 additions and 6 deletions.
diff --git a/nixos/doc/manual/release-notes/rl-1809.xml b/nixos/doc/manual/release-notes/rl-1809.xml
@@ -370,7 +370,9 @@ inherit (pkgs.nixos {
       <varname>s6-dns</varname>, <varname>s6-networking</varname>,
       <varname>s6-linux-utils</varname> and <varname>s6-portable-utils</varname> respectively.
     </para>
-   </listitem>
+  </listitem>
+  <listitem>
+    <para>The module option <option>nix.useSandbox</option> is now defaulted to <literal>true</literal>.
   </itemizedlist>
  </section>
 </section>
diff --git a/nixos/modules/services/misc/nix-daemon.nix b/nixos/modules/services/misc/nix-daemon.nix
@@ -127,16 +127,16 @@ in
 
       useSandbox = mkOption {
         type = types.either types.bool (types.enum ["relaxed"]);
-        default = false;
+        default = true;
         description = "
           If set, Nix will perform builds in a sandboxed environment that it
           will set up automatically for each build. This prevents impurities
           in builds by disallowing access to dependencies outside of the Nix
           store by using network and mount namespaces in a chroot environment.
-          This isn't enabled by default for possible performance impacts due to
-          the initial setup time of a sandbox for each build. It doesn't affect
-          derivation hashes, so changing this option will not trigger a rebuild
-          of packages.
+          This is enabled by default even though it has a possible performance
+          impact due to the initial setup time of a sandbox for each build. It
+          doesn't affect derivation hashes, so changing this option will not
+          trigger a rebuild of packages.
         ";
       };