Experimentally allow forcing nix-daemon trust; use this to test

We finally test the status quo of remote build trust in a number of ways. We create a new experimental feature on `nix-daemon` to do so. PR #3921, which improves the situation with trustless remote building, will build upon these changes. This code / tests was pull out of there to make this, so everything is easier to review, and in particular we test before and after so the new behavior in that PR is readily apparent from the testsuite diff alone.
2025-06-25 10:41:16 +02:00 · 2023-04-17 09:41:39 -04:00 · 2023-04-17 09:41:39 -04:00 · d41e1bed5e
commit d41e1bed5e
parent 3f9589f17e
12 changed files with 145 additions and 17 deletions
--- a/src/libutil/experimental-features.cc
+++ b/src/libutil/experimental-features.cc
@ -12,7 +12,7 @@ struct ExperimentalFeatureDetails
    std::string_view description;
 };

-constexpr std::array<ExperimentalFeatureDetails, 11> xpFeatureDetails = {{
+constexpr std::array<ExperimentalFeatureDetails, 12> xpFeatureDetails = {{
    {
        .tag = Xp::CaDerivations,
        .name = "ca-derivations",
@ -189,6 +189,16 @@ constexpr std::array<ExperimentalFeatureDetails, 11> xpFeatureDetails = {{
            runtime dependencies.
        )",
    },
+    {
+        .tag = Xp::DaemonTrustOverride,
+        .name = "daemon-trust-override",
+        .description = R"(
+            Allow forcing trusting or not trusting clients with
+            `nix-daemon`. This is useful for testing, but possibly also
+            useful for various experiments with `nix-daemon --stdio`
+            networking.
+        )",
+    },
 }};

 static_assert(