Skip to content

hydra_unstable: add patch for fixing accessing git inputs on flakes#273388

Merged
lheckemann merged 1 commit intoNixOS:masterfrom
NickCao:hydra-fix
Dec 12, 2023
Merged

hydra_unstable: add patch for fixing accessing git inputs on flakes#273388
lheckemann merged 1 commit intoNixOS:masterfrom
NickCao:hydra-fix

Conversation

@NickCao
Copy link
Member

@NickCao NickCao commented Dec 10, 2023
edited
Loading

Description of changes

While the patch does fix flake evaluations, it weaks the security guarantees by a bit.

Things done

  • Built on platform(s)
    • x86_64-linux
    • aarch64-linux
    • x86_64-darwin
    • aarch64-darwin
  • For non-Linux: Is sandboxing enabled in nix.conf? (See Nix manual)
    • sandbox = relaxed
    • sandbox = true
  • Tested, as applicable:
  • Tested compilation of all packages that depend on this change using nix-shell -p nixpkgs-review --run "nixpkgs-review rev HEAD". Note: all changes have to be committed, also see nixpkgs-review usage
  • Tested basic functionality of all binary files (usually in ./result/bin/)
  • 24.05 Release Notes (or backporting 23.05 and 23.11 Release notes)
    • (Package updates) Added a release notes entry if the change is major or breaking
    • (Module updates) Added a release notes entry if the change is significant
    • (Module addition) Added a release notes entry if adding a new NixOS module
  • Fits CONTRIBUTING.md.

Add a 👍 reaction to pull requests you find important.

@NickCao NickCao requested a review from Mindavi December 10, 2023 17:17
@ofborg ofborg bot requested review from dasJ and lheckemann December 10, 2023 21:07
@ofborg ofborg bot added 10.rebuild-darwin: 0 This PR does not cause any packages to rebuild on Darwin. 10.rebuild-linux: 1-10 This PR causes between 1 and 10 packages to rebuild on Linux. 10.rebuild-linux: 1 This PR causes 1 package to rebuild on Linux. labels Dec 10, 2023
lheckemann
lheckemann reviewed Dec 11, 2023
View reviewed changes
@delroth delroth added the 12.approvals: 1 This PR was reviewed and approved by one person. label Dec 11, 2023
@ofborg ofborg bot requested a review from lheckemann December 11, 2023 17:13
@lheckemann lheckemann merged commit b169e74 into NixOS:master Dec 12, 2023
@NickCao NickCao deleted the hydra-fix branch December 12, 2023 13:24
@SuperSandro2000
Copy link
Member

SuperSandro2000 commented Dec 14, 2023

How did this even break?

@lheckemann
Copy link
Member

lheckemann commented Dec 14, 2023

@SuperSandro2000 the fact that it worked was a bug (and we've arguably reintroduced it here): restrict-eval is supposed to limit the URLs accessible to those specified in allowed-uris -- but this restriction didn't apply to github flake inputs since they didn't expose a URL. The "right" solution now would be to remove this patch and set allowed-uris to allow whole schemes (if desired) once NixOS/nix#9547 is in the version of Nix used by hydra.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@SuperSandro2000 SuperSandro2000 SuperSandro2000 left review comments

@Mindavi Mindavi Awaiting requested review from Mindavi

@dasJ dasJ Awaiting requested review from dasJ

@lheckemann lheckemann Awaiting requested review from lheckemann

Assignees

No one assigned

Labels

10.rebuild-darwin: 0 This PR does not cause any packages to rebuild on Darwin. 10.rebuild-linux: 1-10 This PR causes between 1 and 10 packages to rebuild on Linux. 10.rebuild-linux: 1 This PR causes 1 package to rebuild on Linux. 12.approvals: 1 This PR was reviewed and approved by one person.

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

4 participants

@NickCao @SuperSandro2000 @lheckemann @delroth