Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

build-support/fetchgitlab: enable to pass private_token as an option #82804

Open
wants to merge 1 commit into
base: master
from

Conversation

@talkara
Copy link
Contributor

talkara commented Mar 17, 2020

Motivation for this change
Things done
  • Tested using sandboxing (nix.useSandbox on NixOS, or option sandbox in nix.conf on non-NixOS linux)
  • Built on platform(s)
    • NixOS
    • macOS
    • other Linux distributions
  • Tested via one or more NixOS test(s) if existing and applicable for the change (look inside nixos/tests)
  • Tested compilation of all pkgs that depend on this change using nix-shell -p nixpkgs-review --run "nixpkgs-review wip"
  • Tested execution of all binary files (usually in ./result/bin/)
  • Determined the impact on package closure size (by running nix path-info -S before and after)
  • Ensured that relevant documentation is up to date
  • Fits CONTRIBUTING.md.
@symphorien
Copy link
Contributor

symphorien commented Mar 17, 2020

This may put the token world readable in the corresponding .drv file.

@talkara
Copy link
Contributor Author

talkara commented Mar 18, 2020

Our use case is providing token from environment variable like:

token = builtins.getEnv "GITLAB_PERSONAL_ACCESS_TOKEN";

Does this protect the token from the world?

I would appreciate some instructions how this should be implemented here.

@symphorien
Copy link
Contributor

symphorien commented Mar 19, 2020

Passing environment variables is unlikely to work because of the sandbox.
Even if you disable the sandbox, the build is executed by the daemon, not by the nix-build process for which you set the environment variable.
Also if you do so, anyone with enough privileges to run builds can leak the environment variable.
No security is gained overall.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Linked issues

Successfully merging this pull request may close these issues.

None yet

2 participants
You can’t perform that action at this time.