| 5 Mar 2025 |
 flokli | 
Download 1741165269059.jpg | 09:01:21 |
 Robert Hensing (roberth) | tvix does a great job at this, layering the build system onto the castore layer, instead of just juxtaposing them into storedir | 09:01:31 |
| Robert Hensing (roberth) | you beat me to it :D | 09:01:57 |
| flokli | Hehe, I have that meme on quick dial | 09:02:21 |
 Ilan Joselevich (Kranzes) | im sitting here in front of flokli, i saw him press "send" and then your message came in, I knew your were writing it before he sent lmao | 09:03:00 |
 picnoir | If I understand your categorization correctly, you'd put FODs in the "output" category? | 09:04:08 |
| Robert Hensing (roberth) | yes. They're also the current most frequent example where "first" is a thing, because many FODs can produce the same output path | 09:05:10 |
| picnoir | Shouldn't there be a third category for FODs? They're resulting from the builder but are output-addressed. | 09:05:21 |
| picnoir | Yeah | 09:05:23 |
| picnoir | And most importantly: can be poisoned. | 09:05:29 |
| Robert Hensing (roberth) | It applies to all CA outputs, where FOD is a special case of CA as it can be implemented without rewriting any hashes | 09:06:14 |
| Robert Hensing (roberth) | (the deriver firstness thing I mean) | 09:06:59 |
| Robert Hensing (roberth) | not sure what you mean with poisoning? | 09:07:07 |
| Robert Hensing (roberth) | btw input addressing might not have the uniqueness property that it currently sort of has, with https://github.com/NixOS/nix/issues/10780 | 09:11:24 |
| picnoir |
- You upload some sort of payload in a store (be it local or remote) to a certain output hash.
- You push a fetcher derivation trying to fetch from a certain URL having the CA of step 1 (wrong ca).
- The builder uses the cached FOD in the local/remote store instead of trying to verify the FOD.
Agreed, this is more of an UX-like posoning. Also agreed, it's CA-specific, not FOD specific.
What I'm trying to say, is that CA and non CA derivations are behaving quite differently on the build graph. I'd be nice to have a way to distinguish those from the validpath boundary.
| 09:13:21 |
| picnoir | I'm not super familiar with nix CA, that's why I was focussing on FODs :) | 09:13:45 |
| picnoir | *
- You upload some sort of payload in a store (be it local or remote) to a certain output hash.
- You push a fetcher derivation trying to fetch from a certain URL having the CA of step 1 (that does not necessarily reflect the ca you'd get fetching the url).
- The builder uses the cached FOD in the local/remote store instead of trying to verify the FOD.
Agreed, this is more of an UX-like posoning. Also agreed, it's CA-specific, not FOD specific.
What I'm trying to say, is that CA and non CA derivations are behaving quite differently on the build graph. I'd be nice to have a way to distinguish those from the validpath boundary.
| 09:14:59 |
