[Nix-dev] is there something like unsafeImpureEnvVars?

Shea Levy shea at shealevy.com
Mon Apr 14 00:24:41 CEST 2014


Fetching source over the network is the main reason fixed output derivations even exist. When chroot builds are enabled, networking is not allowed for non-fixed output derivations. Why is this case special?

> On Apr 13, 2014, at 16:03, Ben Franksen <ben.franksen at online.de> wrote:
> 
> Hello
> 
> Is there *any* way (besides hacking the Nix source code) to circumvent the 
> limitation on impureEnvVars, i.e. that one has to provide the hash up front, 
> making the derivation fixed-output? What I am asking for is something akin 
> to unsafePerformIO in Haskell (which exists for similar situations, and 
> motivated the name unsafeImpureEnvVars in the subject).
> 
> Effectively I want to be able to say to Nix: "I swear these variables are 
> used in a pure way, just believe me."
> 
> Background:
> 
> I want to use fetchdarcs for remote repositories via ssh; we use darcs to 
> version control our software internally (even stuff we get from the outside, 
> to track patches for customisation and bug fixes). We use tags to identify 
> versions and have lots of darcs repos, all on a single server, accessible to 
> developers via ssh.
> 
> Unfortunately, fetchdarcs fails in this case because, to avoid being asked 
> for a passphrase, ssh (in this case called via darcs) needs to know how to 
> access a runnig ssh agent, and this knowledge is encoded in two environment 
> variables: SSH_AGENT_PID and SSH_AUTH_SOCK. But of course these are not 
> defined in the builder, its environment gets cleared before it starts.
> 
> Now, there is the attribute impureEnvVars. But that works only if you pass 
> the expected hash to the builder (so the derivation becomes fixed-output). 
> That means either I hard-code the expected hash into the derivation, or pass 
> it as an argument. In both cases, I need to find out the hash before-hand. 
> This makes it very inconvenient for users to add new version of packages.
> 
> Note that this is *only* because of the two environment variables. I can use 
> fetchdarcs just fine with any local path or remote http url without 
> providing any hash.
> 
> Note also that use of these variables does not imply any impurity, they are 
> only used for authentication.
> 
> Cheers
> Ben
> -- 
> "Make it so they have to reboot after every typo." -- Scott Adams
> 
> _______________________________________________
> nix-dev mailing list
> nix-dev at lists.science.uu.nl
> http://lists.science.uu.nl/mailman/listinfo/nix-dev


More information about the nix-dev mailing list