`fetchGit` with a rev is pure, but not available in restricted mode without a sha
michaelpj opened this issue · 11 comments
builtins.fetchGit
is considered to be a pure derivation when it has a revision. But counterintutively (to me at least), it is not available in restricted mode unless it also has a sha, making it a fixed-output derivation (or you put the URL in allowed-uris
).
This doesn't make much sense to me. As I understand it, the point of restricted mode is to prevent Hydra from fetching arbitrary things from the network. But we allow this for fixed-output derivations, where the output is pinned down. Why not for fetchGit
, where the output is pinned down by a rev?
iirc you can use rev as a reference to a tag, which can be force pushed.
iirc you can use rev as a reference to a tag, which can be force pushed.
I'd have expected you'd need to use ref
for that, surely?
And if that's the case, then it shouldn't be considered pure either.
iirc you can use rev as a reference to a tag, which can be force pushed.
If that's the case we can fetch the commit as usual and check that the commit hash equals rev
. Doing so will restore purity for these evaluation modes.
@michaelpj I can't reproduce. This works:
$ nix eval '(builtins.fetchGit { url = https://github.com/NixOS/patchelf.git; rev = "2ba64817ec6f3b714503ea6e6aa8439505bb7393"; })' --restrict-eval --allowed-uris https://github.com
{ outPath = "/nix/store/ad7c8h6bd8xr0pg2qll0npinjpb360m0-source"; rev = "2ba64817ec6f3b714503ea6e6aa8439505bb7393"; revCount = 339; shortRev = "2ba6481"; }
BTW I'm thinking about removing allowed-uris
since it's kind of a pointless feature. The new fetchers don't enforce it anymore.
Sorry, I should have clarified, this is without allowed-uris
. Admittedly, it is then fetching something outside of allowed-uris
, but we allow this for fixed-output derivations, and I'm arguing that fetchGit
with a rev should be treated like a fixed-output-derivation.
WRT getting rid of allowed-uris
or restricted evaluation mode: my real usecase is just that I want to do this on hydra
, so it would be nice if it worked under whatever conditions hydra
enforces after getting rid of allowed-uris
. e.g. if hydra
enforced` pure mode, that would work fine.
This issue has been mentioned on NixOS Discourse. There might be relevant details there:
https://discourse.nixos.org/t/how-do-language-tools-that-use-import-from-derivation-ifd-work/14003/2