From 162cc2a18049539336403543ccb706fa274f4be9 Mon Sep 17 00:00:00 2001 From: Eelco Dolstra Date: Wed, 27 Mar 2024 14:49:45 +0100 Subject: [PATCH 1/2] Add trust-tarballs-from-git-forges setting If enabled, GitHub flakerefs don't require a content hash, a Git revision is enough. Fixes #10297. (cherry picked from commit 46d9e70c2026eba5c029a5b9fe3ba24b5c3312e3) --- src/libfetchers/fetch-settings.hh | 17 ++++++++++++++++- src/libfetchers/github.cc | 4 +++- 2 files changed, 19 insertions(+), 2 deletions(-) diff --git a/src/libfetchers/fetch-settings.hh b/src/libfetchers/fetch-settings.hh index f095963a8..d085f0d82 100644 --- a/src/libfetchers/fetch-settings.hh +++ b/src/libfetchers/fetch-settings.hh @@ -78,7 +78,6 @@ struct FetchSettings : public Config )", {}, true, Xp::Flakes}; - Setting useRegistries{this, true, "use-registries", "Whether to use flake registries to resolve flake references.", {}, true, Xp::Flakes}; @@ -94,6 +93,22 @@ struct FetchSettings : public Config empty, the summary is generated based on the action performed. )", {}, true, Xp::Flakes}; + + Setting trustTarballsFromGitForges{ + this, true, "trust-tarballs-from-git-forges", + R"( + If enabled (the default), Nix will consider tarballs from + GitHub and similar Git forges to be locked if a Git revision + is specified, + e.g. `github:NixOS/patchelf/7c2f768bf9601268a4e71c2ebe91e2011918a70f`. + This requires Nix to trust that the provider will return the + correct contents for the specified Git revision. + + If disabled, such tarballs are only considered locked if a + `narHash` attribute is specified, + e.g. `github:NixOS/patchelf/7c2f768bf9601268a4e71c2ebe91e2011918a70f?narHash=sha256-PPXqKY2hJng4DBVE0I4xshv/vGLUskL7jl53roB8UdU%3D`. + )"}; + }; // FIXME: don't use a global variable. diff --git a/src/libfetchers/github.cc b/src/libfetchers/github.cc index 8100afe4d..60e323464 100644 --- a/src/libfetchers/github.cc +++ b/src/libfetchers/github.cc @@ -294,7 +294,9 @@ struct GitArchiveInputScheme : InputScheme Git revision alone, we also require a NAR hash for locking. FIXME: in the future, we may want to require a Git tree hash instead of a NAR hash. */ - return input.getRev().has_value() && input.getNarHash().has_value(); + return input.getRev().has_value() + && (fetchSettings.trustTarballsFromGitForges || + input.getNarHash().has_value()); } std::optional experimentalFeature() const override From b77b2c22c1b685c4aba894e4fd424318081b26e9 Mon Sep 17 00:00:00 2001 From: Eelco Dolstra Date: Wed, 27 Mar 2024 15:53:11 +0100 Subject: [PATCH 2/2] Add test (cherry picked from commit 00ce36fafe175ba607522a9c9d549a604ed00522) --- tests/nixos/github-flakes.nix | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/tests/nixos/github-flakes.nix b/tests/nixos/github-flakes.nix index 6f8a5b9d8..221045009 100644 --- a/tests/nixos/github-flakes.nix +++ b/tests/nixos/github-flakes.nix @@ -187,9 +187,14 @@ in client.succeed("nix flake metadata nixpkgs --tarball-ttl 0 >&2") # Test fetchTree on a github URL. - hash = client.succeed(f"nix eval --raw --expr '(fetchTree {info['url']}).narHash'") + hash = client.succeed(f"nix eval --no-trust-tarballs-from-git-forges --raw --expr '(fetchTree {info['url']}).narHash'") assert hash == info['locked']['narHash'] + # Fetching without a narHash should succeed if trust-github is set and fail otherwise. + client.succeed(f"nix eval --raw --expr 'builtins.fetchTree github:github:fancy-enterprise/private-flake/{info['revision']}'") + out = client.fail(f"nix eval --no-trust-tarballs-from-git-forges --raw --expr 'builtins.fetchTree github:github:fancy-enterprise/private-flake/{info['revision']}' 2>&1") + assert "will not fetch unlocked input" in out, "--no-trust-tarballs-from-git-forges did not fail with the expected error" + # Shut down the web server. The flake should be cached on the client. github.succeed("systemctl stop httpd.service")