[Nix-dev] is there something like unsafeImpureEnvVars?

Peter Simons simons at cryp.to
Mon Apr 14 14:51:12 CEST 2014


Hi Ben,

 >> Fetching source over the network is the main reason fixed output
 >> derivations even exist. When chroot builds are enabled, networking is not
 >> allowed for non-fixed output derivations.
 >
 > Interesting, I did not know this.
 >
 > I agree that this policy makes sense for stuff that gets downloaded from the
 > internet, and especially if you base a complete linux distribution on it
 > (security considerations: you want to make sure that the source has not been
 > tampered with).

another feature of fixed output derivations is that the $out hash
does not depend on the commands that were used to generate $out. If a
command like

   ${curl}/bin/curl http://example.org/foobar-1.1.tar.gz

would go into the $out hash -- like build scripts normally do ---, then
source tarballs would have to be re-downloaded every time their URL
changes. If curl ever changed, then we'd have to re-download everything!
Fixed output derivations avoid this overhead (while also improving
security somewhat, because we track hashes for our sources).

Take care,
Peter



More information about the nix-dev mailing list