[Nix-dev] is there something like unsafeImpureEnvVars?
Peter Simons
simons at cryp.to
Mon Apr 14 14:51:12 CEST 2014
Hi Ben,
>> Fetching source over the network is the main reason fixed output
>> derivations even exist. When chroot builds are enabled, networking is not
>> allowed for non-fixed output derivations.
>
> Interesting, I did not know this.
>
> I agree that this policy makes sense for stuff that gets downloaded from the
> internet, and especially if you base a complete linux distribution on it
> (security considerations: you want to make sure that the source has not been
> tampered with).
another feature of fixed output derivations is that the $out hash
does not depend on the commands that were used to generate $out. If a
command like
${curl}/bin/curl http://example.org/foobar-1.1.tar.gz
would go into the $out hash -- like build scripts normally do ---, then
source tarballs would have to be re-downloaded every time their URL
changes. If curl ever changed, then we'd have to re-download everything!
Fixed output derivations avoid this overhead (while also improving
security somewhat, because we track hashes for our sources).
Take care,
Peter
More information about the nix-dev
mailing list