| 5 Mar 2025 |
 flokli | (native fetches) | 08:54:37 |
 Picnoir | Yeah | 08:54:41 |
| Picnoir | but they still end up in the same validpaths table. | 08:54:50 |
| Picnoir | And there's no direct way to set them appart from the "regular" builds as far as I can tell. | 08:55:05 |
| Picnoir | By looking at the db I mean. | 08:55:15 |
| flokli | Yes of course not | 08:56:04 |
| flokli | Else or would be too simple :-) | 08:56:12 |
| flokli | You also can have non-native fetches and native fetches both being present in your build graph, producing the same store path. | 08:57:11 |
| flokli | So whether something is a build or not then depends on evaluation order ;-) | 08:57:57 |
 Robert Hensing (roberth) | Recent addition:
Besides functioning as a content-addressed store, the Nix store layer works as a build system.
https://hydra.nixos.org/build/291787002/download/1/manual/store/derivation/index.html
| 08:58:09 |
| Robert Hensing (roberth) | The store we have is not a fantastic CAS (more could be done), but it fulfills both tasks | 09:00:34 |
| flokli | 
Download 1741165269059.jpg | 09:01:21 |
| Robert Hensing (roberth) | tvix does a great job at this, layering the build system onto the castore layer, instead of just juxtaposing them into storedir | 09:01:31 |
| Robert Hensing (roberth) | you beat me to it :D | 09:01:57 |
| flokli | Hehe, I have that meme on quick dial | 09:02:21 |
 Ilan Joselevich (Kranzes) | im sitting here in front of flokli, i saw him press "send" and then your message came in, I knew your were writing it before he sent lmao | 09:03:00 |
| Picnoir | If I understand your categorization correctly, you'd put FODs in the "output" category? | 09:04:08 |
| Robert Hensing (roberth) | yes. They're also the current most frequent example where "first" is a thing, because many FODs can produce the same output path | 09:05:10 |
| Picnoir | Shouldn't there be a third category for FODs? They're resulting from the builder but are output-addressed. | 09:05:21 |
| Picnoir | Yeah | 09:05:23 |
| Picnoir | And most importantly: can be poisoned. | 09:05:29 |
| Robert Hensing (roberth) | It applies to all CA outputs, where FOD is a special case of CA as it can be implemented without rewriting any hashes | 09:06:14 |
| Robert Hensing (roberth) | (the deriver firstness thing I mean) | 09:06:59 |
| Robert Hensing (roberth) | not sure what you mean with poisoning? | 09:07:07 |
| Robert Hensing (roberth) | btw input addressing might not have the uniqueness property that it currently sort of has, with https://github.com/NixOS/nix/issues/10780 | 09:11:24 |
| Picnoir |
- You upload some sort of payload in a store (be it local or remote) to a certain output hash.
- You push a fetcher derivation trying to fetch from a certain URL having the CA of step 1 (wrong ca).
- The builder uses the cached FOD in the local/remote store instead of trying to verify the FOD.
Agreed, this is more of an UX-like posoning. Also agreed, it's CA-specific, not FOD specific.
What I'm trying to say, is that CA and non CA derivations are behaving quite differently on the build graph. I'd be nice to have a way to distinguish those from the validpath boundary.
| 09:13:21 |
| Picnoir | I'm not super familiar with nix CA, that's why I was focussing on FODs :) | 09:13:45 |
| Picnoir | *
- You upload some sort of payload in a store (be it local or remote) to a certain output hash.
- You push a fetcher derivation trying to fetch from a certain URL having the CA of step 1 (that does not necessarily reflect the ca you'd get fetching the url).
- The builder uses the cached FOD in the local/remote store instead of trying to verify the FOD.
Agreed, this is more of an UX-like posoning. Also agreed, it's CA-specific, not FOD specific.
What I'm trying to say, is that CA and non CA derivations are behaving quite differently on the build graph. I'd be nice to have a way to distinguish those from the validpath boundary.
| 09:14:59 |
| Robert Hensing (roberth) | John Ericson: I've suggested to treat the Nixpkgs "fix" for the CA placeholder issue (no storedir prefix) as a workaround as ca-derivations is experimental https://github.com/NixOS/nixpkgs/pull/386774#pullrequestreview-2660479310 | 09:27:53 |
| Robert Hensing (roberth) | See https://github.com/NixOS/nix/issues/12577 for avoidable confusion | 09:31:20 |
