`fetchGit` with a rev is pure, but not available in restricted mode without a sha

Question

`fetchGit` with a rev is pure, but not available in restricted mode without a sha

michaelpj opened this issue 4 years ago · 11 comments

builtins.fetchGit is considered to be a pure derivation when it has a revision. But counterintutively (to me at least), it is not available in restricted mode unless it also has a sha, making it a fixed-output derivation (or you put the URL in allowed-uris).

This doesn't make much sense to me. As I understand it, the point of restricted mode is to prevent Hydra from fetching arbitrary things from the network. But we allow this for fixed-output derivations, where the output is pinned down. Why not for fetchGit, where the output is pinned down by a rev?

Answer 1 · 2020-04-02T09:21:23.000Z

iirc you can use rev as a reference to a tag, which can be force pushed.

Answer 2 · 2020-04-02T09:23:07.000Z

iirc you can use rev as a reference to a tag, which can be force pushed.

I'd have expected you'd need to use ref for that, surely?

Answer 3 · 2020-04-02T09:23:23.000Z

And if that's the case, then it shouldn't be considered pure either.

Answer 4 · 2020-04-02T11:17:26.000Z

iirc you can use rev as a reference to a tag, which can be force pushed.

If that's the case we can fetch the commit as usual and check that the commit hash equals rev. Doing so will restore purity for these evaluation modes.

Answer 5 · 2020-04-02T13:39:48.000Z

@michaelpj I can't reproduce. This works:

$ nix eval '(builtins.fetchGit { url = https://github.com/NixOS/patchelf.git; rev = "2ba64817ec6f3b714503ea6e6aa8439505bb7393"; })' --restrict-eval --allowed-uris https://github.com
{ outPath = "/nix/store/ad7c8h6bd8xr0pg2qll0npinjpb360m0-source"; rev = "2ba64817ec6f3b714503ea6e6aa8439505bb7393"; revCount = 339; shortRev = "2ba6481"; }

BTW I'm thinking about removing allowed-uris since it's kind of a pointless feature. The new fetchers don't enforce it anymore.

Answer 6 · 2020-04-02T14:00:01.000Z

Sorry, I should have clarified, this is without allowed-uris. Admittedly, it is then fetching something outside of allowed-uris, but we allow this for fixed-output derivations, and I'm arguing that fetchGit with a rev should be treated like a fixed-output-derivation.

Answer 7 · 2020-04-02T14:01:28.000Z

WRT getting rid of allowed-uris or restricted evaluation mode: my real usecase is just that I want to do this on hydra, so it would be nice if it worked under whatever conditions hydra enforces after getting rid of allowed-uris. e.g. if hydra enforced` pure mode, that would work fine.

Answer 8 · 2021-02-16T02:48:56.000Z

I marked this as stale due to inactivity. → More info

Answer 9 · 2021-07-09T21:12:44.000Z

This issue has been mentioned on NixOS Discourse. There might be relevant details there:

https://discourse.nixos.org/t/how-do-language-tools-that-use-import-from-derivation-ifd-work/14003/2

Answer 10 · 2021-07-10T10:31:09.000Z

While conceptually the premise of this issue is correct, the current implementation is not actually reproducible because of the bad git clean/smudge filter handling. See #4635 for a partial fix.

Answer 11 · 2022-01-08T23:10:50.000Z

I marked this as stale due to inactivity. → More info