Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Disallow writing path input to lock file #12004

Open
2 tasks
roberth opened this issue Dec 4, 2024 · 3 comments
Open
2 tasks

Disallow writing path input to lock file #12004

roberth opened this issue Dec 4, 2024 · 3 comments
Labels
feature Feature request or proposal fetching Networking with the outside (non-Nix) world, input locking flakes

Comments

@roberth
Copy link
Member

roberth commented Dec 4, 2024
edited
Loading

Is your feature request related to a problem?

Host paths are not reproducible, so they're not a good source for flake inputs.

Proposed solution

Disallow writing path input to lock file. Throw an error.
Maybe have a flag --allow-unreproducible-local-path-input for the use case where users are testing something locally and they can't pass --override-input for whatever reason (getFlake, non-interactive Nix use, direnv, not-great CLIs, etc).

Alternative solutions

Additional context

May also solve

Checklist

Add 👍 to issues you find important.
@roberth roberth added feature Feature request or proposal flakes fetching Networking with the outside (non-Nix) world, input locking labels Dec 4, 2024
@roberth roberth added this to Nix team Dec 4, 2024
@github-project-automation github-project-automation bot moved this to To triage in Nix team Dec 4, 2024
@roberth roberth mentioned this issue Dec 4, 2024
Open
2 tasks
@nixos-discourse
Copy link

This issue has been mentioned on NixOS Discourse. There might be relevant details there:

https://discourse.nixos.org/t/2024-12-04-nix-team-meeting-minutes-200/57005/1

@Enzime
Copy link
Member

Enzime commented Dec 4, 2024
edited
Loading

Subflakes write path inputs to lock file, but they're relative paths instead of store paths like hercules-ci/flake-parts#252 (comment)

{
  "locked": {
    "lastModified": 1,
    "narHash": "sha256-GQi2Zqvsm80KrZEsq+zb2lt+eHRFTZt8aPXzOiCWLPI=",
    "path": "overlays/nix",
    "type": "path"
  },
  "original": {
    "path": "overlays/nix",
    "type": "path"
  }
}

Will this change conflict with #10089?

@edolstra
Copy link
Member

@Enzime Regardless of whether we disallow absolute paths in lock files, we will keep relative paths for subflakes.

@edolstra edolstra removed this from Nix team Dec 11, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
feature Feature request or proposal fetching Networking with the outside (non-Nix) world, input locking flakes
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@roberth @edolstra @Enzime @nixos-discourse