mirror of
https://github.com/NixOS/nix
synced 2025-06-29 19:03:16 +02:00
Make public keys and requireSigs local-store specific again
Thanks @regnat and @edolstra for catching this and comming up with the solution. They way I had generalized those is wrong, because local settings for non-local stores is confusing default. And due to the nature of C++ inheritance, fixing the defaults is more annoying than it should be. Additionally, I thought we might just drop the check in the substitution logic since `Store::addToStore` is now streaming, but @regnat rightfully pointed out that as it downloads dependencies first, that would still be too late, and also waste effort on possibly unneeded/unwanted dependencies. The simple and correct thing to do is just make a store method for the boolean logic, keeping all the setting and key stuff the way it was before. That new method is both used by `LocalStore::addToStore` and the substitution goal check. Perhaps we might eventually make it fancier, e.g. sending the ValidPathInfo to remote stores for them to validate, but this is good enough for now.
This commit is contained in:
John Ericson
parent
0027b05a15
commit
7af743470c
5 changed files with 43 additions and 26 deletions
|
|
@ -189,10 +189,6 @@ struct StoreConfig : public Config
|
|||
|
||||
const Setting<bool> isTrusted{this, false, "trusted", "whether paths from this store can be used as substitutes even when they lack trusted signatures"};
|
||||
|
||||
Setting<bool> requireSigs{this,
|
||||
settings.requireSigs,
|
||||
"require-sigs", "whether store paths should have a trusted signature on import"};
|
||||
|
||||
Setting<int> priority{this, 0, "priority", "priority of this substituter (lower value means higher priority)"};
|
||||
|
||||
Setting<bool> wantMassQuery{this, false, "want-mass-query", "whether this substituter can be queried efficiently for path validity"};
|
||||
|
|
@ -376,6 +372,21 @@ public:
|
|||
void queryPathInfo(const StorePath & path,
|
||||
Callback<ref<const ValidPathInfo>> callback) noexcept;
|
||||
|
||||
/* Check whether the given valid path info is sufficiently well-formed
|
||||
(e.g. hash content-address or signature) in order to be included in the
|
||||
given store.
|
||||
|
||||
These same checks would be performed in addToStore, but this allows an
|
||||
earlier failure in the case where dependencies need to be added too, but
|
||||
the addToStore wouldn't fail until those dependencies are added. Also,
|
||||
we don't really want to add the dependencies listed in a nar info we
|
||||
don't trust anyyways.
|
||||
*/
|
||||
virtual bool pathInfoIsTrusted(const ValidPathInfo &)
|
||||
{
|
||||
return true;
|
||||
}
|
||||
|
||||
protected:
|
||||
|
||||
virtual void queryPathInfoUncached(const StorePath & path,
|
||||
|
|
@ -719,20 +730,11 @@ public:
|
|||
return toRealPath(printStorePath(storePath));
|
||||
}
|
||||
|
||||
const PublicKeys & getPublicKeys();
|
||||
|
||||
virtual void createUser(const std::string & userName, uid_t userId)
|
||||
{ }
|
||||
|
||||
protected:
|
||||
|
||||
struct CryptoState
|
||||
{
|
||||
std::unique_ptr<PublicKeys> publicKeys;
|
||||
};
|
||||
|
||||
Sync<CryptoState> _cryptoState;
|
||||
|
||||
Stats stats;
|
||||
|
||||
/* Unsupported methods. */
|
||||
|
|
|
|||
Loading…
Add table
Add a link
Reference in a new issue