hydra-eval-jobs: don't use restrict-eval for Flakes

NixOS / hydra

Hydra, the Nix-based continuous build system

http://nixos.org/hydra

GNU General Public License v3.0

1.1k stars 291 forks source link

Open lheckemann opened 1 year ago

lheckemann commented 1 year ago

Pure evaluation should cover all the uses for restrict-eval, and restrict-eval currently breaks accessing Git inputs on Flakes1.

lheckemann commented 1 year ago

Draft, because:

I'm not 100% confident that there's nothing that works in pure-but-not-restricted eval but shouldn't work in the context of Hydra
This results in Flake evals being able to access the local filesystem and arbitrary URLs if pure evaluation mode is disabled, which is a significant change from before

lheckemann commented 1 year ago

I think it's OK to do this. People disabling pure evaluation presumably have a good reason to do so.

edolstra commented 1 year ago

This does open up access to path flakes in the local file system (e.g. by having a flake input path:/foo/bar), see EvalState::checkURI().

lheckemann commented 1 year ago

In that case, I guess fixing https://github.com/NixOS/nix/issues/7098 in Nix is the right approach to solving this problem.