aboutsummaryrefslogtreecommitdiff
path: root/src/libstore
diff options
context:
space:
mode:
authorEelco Dolstra <edolstra@gmail.com>2018-01-16 18:50:38 +0100
committerEelco Dolstra <edolstra@gmail.com>2018-01-16 19:23:18 +0100
commitd4dcffd64349bb52ad5f1b184bee5cc7c2be73b4 (patch)
treef43f027df22b6421bf83d4622c883c3ebc9f846d /src/libstore
parent23fa7e3606a2bee6e3622a61f07e66bdda9b5304 (diff)
Add pure evaluation mode
In this mode, the following restrictions apply: * The builtins currentTime, currentSystem and storePath throw an error. * $NIX_PATH and -I are ignored. * fetchGit and fetchMercurial require a revision hash. * fetchurl and fetchTarball require a sha256 attribute. * No file system access is allowed outside of the paths returned by fetch{Git,Mercurial,url,Tarball}. Thus 'nix build -f ./foo.nix' is not allowed. Thus, the evaluation result is completely reproducible from the command line arguments. E.g. nix build --pure-eval '( let nix = fetchGit { url = https://github.com/NixOS/nixpkgs.git; rev = "9c927de4b179a6dd210dd88d34bda8af4b575680"; }; nixpkgs = fetchGit { url = https://github.com/NixOS/nixpkgs.git; ref = "release-17.09"; rev = "66b4de79e3841530e6d9c6baf98702aa1f7124e4"; }; in (import (nix + "/release.nix") { inherit nix nixpkgs; }).build.x86_64-linux )' The goal is to enable completely reproducible and traceable evaluation. For example, a NixOS configuration could be fully described by a single Git commit hash. 'nixos-rebuild' would do something like nix build --pure-eval '( (import (fetchGit { url = file:///my-nixos-config; rev = "..."; })).system ') where the Git repository /my-nixos-config would use further fetchGit calls or Git externals to fetch Nixpkgs and whatever other dependencies it has. Either way, the commit hash would uniquely identify the NixOS configuration and allow it to reproduced.
Diffstat (limited to 'src/libstore')
-rw-r--r--src/libstore/globals.hh3
1 files changed, 3 insertions, 0 deletions
diff --git a/src/libstore/globals.hh b/src/libstore/globals.hh
index af72f7b1e..81bb24a4e 100644
--- a/src/libstore/globals.hh
+++ b/src/libstore/globals.hh
@@ -232,6 +232,9 @@ public:
"Whether to restrict file system access to paths in $NIX_PATH, "
"and network access to the URI prefixes listed in 'allowed-uris'."};
+ Setting<bool> pureEval{this, false, "pure-eval",
+ "Whether to restrict file system and network access to files specified by cryptographic hash."};
+
Setting<size_t> buildRepeat{this, 0, "repeat",
"The number of times to repeat a build in order to verify determinism.",
{"build-repeat"}};