Merge pull request #12376 from DeterminateSystems/fetch-using-nar-hash

Allow fetching using NAR hash without --allow-dirty-locks
2025-07-07 01:51:47 +02:00 · 2025-02-02 02:10:35 +00:00 · 2025-02-02 02:10:35 +00:00 · b842103307
commit b842103307
parent d5c00cfab1 8006196c55
6 changed files with 47 additions and 36 deletions
--- a/src/libexpr/primops/fetchTree.cc
+++ b/src/libexpr/primops/fetchTree.cc
@ -183,11 +183,16 @@ static void fetchTree(
    if (!state.settings.pureEval && !input.isDirect() && experimentalFeatureSettings.isEnabled(Xp::Flakes))
        input = lookupInRegistries(state.store, input).first;

-    if (state.settings.pureEval && !input.isConsideredLocked(state.fetchSettings)) {
-        state.error<EvalError>(
-            "in pure evaluation mode, '%s' will not fetch unlocked input '%s'",
-            fetcher, input.to_string()
-        ).atPos(pos).debugThrow();
+    if (state.settings.pureEval && !input.isLocked()) {
+        if (input.getNarHash())
+            warn(
+                "Input '%s' is unlocked (e.g. lacks a Git revision) but does have a NAR hash. "
+                "This is deprecated since such inputs are verifiable but may not be reproducible.",
+                input.to_string());
+        else
+            state.error<EvalError>(
+                "in pure evaluation mode, '%s' will not fetch unlocked input '%s'",
+                fetcher, input.to_string()).atPos(pos).debugThrow();
    }

    state.checkURI(input.toURLString());
--- a/src/libfetchers/fetchers.cc
+++ b/src/libfetchers/fetchers.cc
@ -155,12 +155,6 @@ bool Input::isLocked() const
    return scheme && scheme->isLocked(*this);
 }

-bool Input::isConsideredLocked(
-    const Settings & settings) const
-{
-    return isLocked() || (settings.allowDirtyLocks && getNarHash());
-}
-
 bool Input::isFinal() const
 {
    return maybeGetBoolAttr(attrs, "__final").value_or(false);
--- a/src/libfetchers/fetchers.hh
+++ b/src/libfetchers/fetchers.hh
@ -90,15 +90,6 @@ public:
     */
    bool isLocked() const;

-    /**
-     * Return whether the input is either locked, or, if
-     * `allow-dirty-locks` is enabled, it has a NAR hash. In the
-     * latter case, we can verify the input but we may not be able to
-     * fetch it from anywhere.
-     */
-    bool isConsideredLocked(
-        const Settings & settings) const;
-
    /**
     * Only for relative path flakes, i.e. 'path:./foo', returns the
     * relative path, i.e. './foo'.
--- a/src/libflake/flake/lockfile.cc
+++ b/src/libflake/flake/lockfile.cc
@ -1,7 +1,10 @@
 #include <unordered_set>

+#include "fetch-settings.hh"
+#include "flake/settings.hh"
 #include "lockfile.hh"
 #include "store-api.hh"
+#include "strings.hh"

 #include <algorithm>
 #include <iomanip>
@ -9,8 +12,6 @@
 #include <iterator>
 #include <nlohmann/json.hpp>

-#include "strings.hh"
-#include "flake/settings.hh"

 namespace nix::flake {

@ -45,9 +46,16 @@ LockedNode::LockedNode(
    , isFlake(json.find("flake") != json.end() ? (bool) json["flake"] : true)
    , parentInputAttrPath(json.find("parent") != json.end() ? (std::optional<InputAttrPath>) json["parent"] : std::nullopt)
 {
-    if (!lockedRef.input.isConsideredLocked(fetchSettings) && !lockedRef.input.isRelative())
-        throw Error("Lock file contains unlocked input '%s'. Use '--allow-dirty-locks' to accept this lock file.",
-            fetchers::attrsToJSON(lockedRef.input.toAttrs()));
+    if (!lockedRef.input.isLocked() && !lockedRef.input.isRelative()) {
+        if (lockedRef.input.getNarHash())
+            warn(
+                "Lock file entry '%s' is unlocked (e.g. lacks a Git revision) but does have a NAR hash. "
+                "This is deprecated since such inputs are verifiable but may not be reproducible.",
+                lockedRef.to_string());
+        else
+            throw Error("Lock file contains unlocked input '%s'. Use '--allow-dirty-locks' to accept this lock file.",
+                fetchers::attrsToJSON(lockedRef.input.toAttrs()));
+    }

    // For backward compatibility, lock file entries are implicitly final.
    assert(!lockedRef.input.attrs.contains("__final"));
@ -248,11 +256,20 @@ std::optional<FlakeRef> LockFile::isUnlocked(const fetchers::Settings & fetchSet

    visit(root);

+    /* Return whether the input is either locked, or, if
+       `allow-dirty-locks` is enabled, it has a NAR hash. In the
+       latter case, we can verify the input but we may not be able to
+       fetch it from anywhere. */
+    auto isConsideredLocked = [&](const fetchers::Input & input)
+    {
+        return input.isLocked() || (fetchSettings.allowDirtyLocks && input.getNarHash());
+    };
+
    for (auto & i : nodes) {
        if (i == ref<const Node>(root)) continue;
        auto node = i.dynamic_pointer_cast<const LockedNode>();
        if (node
-            && (!node->lockedRef.input.isConsideredLocked(fetchSettings)
+            && (!isConsideredLocked(node->lockedRef.input)
                || !node->lockedRef.input.isFinal())
            && !node->lockedRef.input.isRelative())
            return node->lockedRef;