[Nix-dev] is there something like unsafeImpureEnvVars?
Shea Levy
shea at shealevy.com
Mon Apr 14 00:24:41 CEST 2014
Fetching source over the network is the main reason fixed output derivations even exist. When chroot builds are enabled, networking is not allowed for non-fixed output derivations. Why is this case special?
> On Apr 13, 2014, at 16:03, Ben Franksen <ben.franksen at online.de> wrote:
>
> Hello
>
> Is there *any* way (besides hacking the Nix source code) to circumvent the
> limitation on impureEnvVars, i.e. that one has to provide the hash up front,
> making the derivation fixed-output? What I am asking for is something akin
> to unsafePerformIO in Haskell (which exists for similar situations, and
> motivated the name unsafeImpureEnvVars in the subject).
>
> Effectively I want to be able to say to Nix: "I swear these variables are
> used in a pure way, just believe me."
>
> Background:
>
> I want to use fetchdarcs for remote repositories via ssh; we use darcs to
> version control our software internally (even stuff we get from the outside,
> to track patches for customisation and bug fixes). We use tags to identify
> versions and have lots of darcs repos, all on a single server, accessible to
> developers via ssh.
>
> Unfortunately, fetchdarcs fails in this case because, to avoid being asked
> for a passphrase, ssh (in this case called via darcs) needs to know how to
> access a runnig ssh agent, and this knowledge is encoded in two environment
> variables: SSH_AGENT_PID and SSH_AUTH_SOCK. But of course these are not
> defined in the builder, its environment gets cleared before it starts.
>
> Now, there is the attribute impureEnvVars. But that works only if you pass
> the expected hash to the builder (so the derivation becomes fixed-output).
> That means either I hard-code the expected hash into the derivation, or pass
> it as an argument. In both cases, I need to find out the hash before-hand.
> This makes it very inconvenient for users to add new version of packages.
>
> Note that this is *only* because of the two environment variables. I can use
> fetchdarcs just fine with any local path or remote http url without
> providing any hash.
>
> Note also that use of these variables does not imply any impurity, they are
> only used for authentication.
>
> Cheers
> Ben
> --
> "Make it so they have to reboot after every typo." -- Scott Adams
>
> _______________________________________________
> nix-dev mailing list
> nix-dev at lists.science.uu.nl
> http://lists.science.uu.nl/mailman/listinfo/nix-dev
More information about the nix-dev
mailing list