search

NixOS / nix

Nix, the purely functional package manager
https://nixos.org/
GNU Lesser General Public License v2.1
12.16k stars 1.47k forks source link

Allow untrusted user to specify using subset of builders #2271

Open dtzWill opened 6 years ago

dtzWill commented 6 years ago

Untrusted users can't add new builders, but it seems reasonable to allow specifying fewers builders used -- most commonly I find I want to say "build this locally" using something like --option builders "" but this doesn't work. So I end up sometimes invoking as root just to force a local build.

Offhand I can't come up with a good example of why this is useful (to motivate such a change), but I can say I find myself running into this at least a few times a week. I think it's usually some combination of knowledge about the size of inputs vs network transfer time vs "compute power needed"-- for example many unfree packages have "sources" 100's of mb that it's silly to scp to a beefy builder from my home uplink ... just to perform an extraction and copy to $out. But there are other examples too :).

(I thought there was an issue for this already, but can't find it. Apologies if duplicate.)

grahamc commented 6 years ago

There is an option on the drv to prefer local builds. Have you tried that?

Graham

On Jul 4, 2018, at 11:00 AM, Will Dietz notifications@github.com wrote:

Untrusted users can't add new builders, but it seems reasonable to allow specifying fewers builders used -- most commonly I find I want to say "build this locally" using something like --option builders "" but this doesn't work. So I end up sometimes invoking as root just to force a local build.

Offhand I can't come up with a good example of why this is useful (to motivate such a change), but I can say I find myself running into this at least a few times a week. I think it's usually some combination of knowledge about the size of inputs vs network transfer time vs "compute power needed"-- for example many unfree packages have "sources" 100's of mb that it's silly to scp to a beefy builder from my home uplink ... just to perform an extraction and copy to $out. But there are other examples too :).

(I thought there was an issue for this already, but can't find it. Apologies if duplicate.)

— You are receiving this because you are subscribed to this thread. Reply to this email directly, view it on GitHub, or mute the thread.

dtzWill commented 6 years ago

Yes, certainly. It works for things that always should be built locally-- and perhaps the example I gave is such a case. It still seems useful to be able to opt-out of performing distributed builds without requiring being a "trusted" user. More generally it seems the builders to use could safely be a subset of allowed builders, but for my use cases I think simply "--force-local" would do the trick.

stale[bot] commented 3 years ago

I marked this as stale due to inactivity. → More info

stale[bot] commented 2 years ago

I closed this issue due to inactivity. → More info