Add trust-tarballs-from-git-forges setting

If enabled, GitHub flakerefs don't require a content hash, a Git revision is enough. Fixes #10297.
2025-07-06 09:11:47 +02:00 · 2024-03-27 14:49:45 +01:00 · 2024-03-27 14:49:45 +01:00 · 46d9e70c20
commit 46d9e70c20
parent de101417eb
2 changed files with 19 additions and 2 deletions
--- a/src/libfetchers/fetch-settings.hh
+++ b/src/libfetchers/fetch-settings.hh
@ -78,7 +78,6 @@ struct FetchSettings : public Config
        )",
        {}, true, Xp::Flakes};

-
    Setting<bool> useRegistries{this, true, "use-registries",
        "Whether to use flake registries to resolve flake references.",
        {}, true, Xp::Flakes};
@ -94,6 +93,22 @@ struct FetchSettings : public Config
          empty, the summary is generated based on the action performed.
        )",
        {}, true, Xp::Flakes};
+
+    Setting<bool> trustTarballsFromGitForges{
+        this, true, "trust-tarballs-from-git-forges",
+        R"(
+          If enabled (the default), Nix will consider tarballs from
+          GitHub and similar Git forges to be locked if a Git revision
+          is specified,
+          e.g. `github:NixOS/patchelf/7c2f768bf9601268a4e71c2ebe91e2011918a70f`.
+          This requires Nix to trust that the provider will return the
+          correct contents for the specified Git revision.
+
+          If disabled, such tarballs are only considered locked if a
+          `narHash` attribute is specified,
+          e.g. `github:NixOS/patchelf/7c2f768bf9601268a4e71c2ebe91e2011918a70f?narHash=sha256-PPXqKY2hJng4DBVE0I4xshv/vGLUskL7jl53roB8UdU%3D`.
+        )"};
+
 };

 // FIXME: don't use a global variable.