| 13 May 2022 |
 das_j | Hydra doesn't have an option to toggle this for some reason | 10:24:45 |
| das_j | https://github.com/NixOS/hydra/pull/888 | 10:25:01 |
 osnyx (he/him) | But before looking into that, back to restrict-eval: With that being off by default, I cannot find it being activated in the /etc/nix/nix.conf of the hydra host. | 10:25:06 |
| das_j | there is also some option that allows you to selectively unrestrict paths… but I have never used that | 10:25:52 |
| osnyx (he/him) | In reply to @janne.hess:helsinki-systems.de
Hydra doesn't have an option to toggle this for some reason Ah, that explains why it's on in Hydr | 10:27:45 |
| osnyx (he/him) | In reply to @janne.hess:helsinki-systems.de
Hydra doesn't have an option to toggle this for some reason * Ah, that explains why it's on in Hydra | 10:27:47 |
| das_j | ah allowed-uris is the option I was talking about but I have no idea what to do with it. Maybe set it to /nix/store? I really don't know | 10:28:42 |
| osnyx (he/him) | In reply to @linus:schreibt.jetzt
Because restrict-eval doesn't affect fixed-output derivations, which are the mechanism through which sources are usually fetched. That doesn't read like this in the nix docs: https://nixos.org/manual/nix/stable/command-ref/conf-file.html#conf-restrict-eval
So if this is true it should better be mentioned there. | 10:28:48 |
 @linus:schreibt.jetzt | the key word there is "evaluator" | 10:29:21 |
| osnyx (he/him) | I first will have a look how that directory is actually created, I guess some tracing comes in handy there. | 10:29:37 |
| osnyx (he/him) | In reply to @linus:schreibt.jetzt
the key word there is "evaluator" Ah, the component that creates the .drv files to be realised by the nix daemon later? | 10:31:32 |
| @linus:schreibt.jetzt | not necessarily the daemon, but yes | 10:31:44 |
| osnyx (he/him) | Understood. Yeah, not always the daemon (see single-user installs), but I wanted to simplify for clarity. Thx. | 10:32:27 |
| @linus:schreibt.jetzt | the evaluator also talks to the daemon on multi-user installs, in order to actually create the .drvs :) | 10:33:10 |
| osnyx (he/him) | das_j: Do you think a remark about the naming of "is forbidden in restricted mode" (Hydra error, not found in Hyfra docs) vs. "restrict-eval" (underlying Nix feature) deserves its own issue or shall I mention it in PR #888? | 10:34:29 |
| das_j | In reply to @os:matrix.flyingcircus.io
das_j: Do you think a remark about the naming of "is forbidden in restricted mode" (Hydra error, not found in Hyfra docs) vs. "restrict-eval" (underlying Nix feature) deserves its own issue or shall I mention it in PR #888? I don't know, maybe not in #888 since I doubt this will ever get merged or looked at again | 10:35:00 |
| osnyx (he/him) | It could be mentioned in the Hydra docs that the "restricted mode" is derived from "restrict-eval", or the error message could be rephrased | 10:35:40 |
| osnyx (he/him) | Or if #888 is abandoned than someone (I?) might just document that restricted mode == restrict-eval is always switched on. | 10:36:22 |
| das_j | In reply to @os:matrix.flyingcircus.io
Or if #888 is abandoned than someone (I?) might just document that restricted mode == restrict-eval is always switched on. It's not abandoned, we do rebase it to master when needed because it's one of the 20 patches we pick into our downstream hydra :D | 10:37:01 |
| das_j | In reply to @os:matrix.flyingcircus.io
It could be mentioned in the Hydra docs that the "restricted mode" is derived from "restrict-eval", or the error message could be rephrased But what would the error message say? It's not like you can just change an option to fix the issue | 10:37:25 |
