| 30 Jan 2024 |
 chayleaf | i've applied the following patch:
diff --git a/src/hydra-eval-jobs/hydra-eval-jobs.cc b/src/hydra-eval-jobs/hydra-eval-jobs.cc
index 30ab9740..ffb8c748 100644
--- a/src/hydra-eval-jobs/hydra-eval-jobs.cc
+++ b/src/hydra-eval-jobs/hydra-eval-jobs.cc
@@ -310,10 +310,6 @@ int main(int argc, char * * argv)
/* FIXME: The build hook in conjunction with import-from-derivation is causing "unexpected EOF" during eval */
settings.builders = "";
- /* Prevent access to paths outside of the Nix search path and
- to the environment. */
- evalSettings.restrictEval = true;
-
/* When building a flake, use pure evaluation (no access to
'getEnv', 'currentSystem' etc. */
evalSettings.pureEval = pureEval;
however, for some reason my repo is still being evaluated in restricted mode. I've tried removing the eval cache, but nothing helped, I'm still getting the error access to canonical path '...' is forbidden in restricted mode. What could be the reason behind this? | 11:26:18 |
| chayleaf | my ci randomly broke after a nixpkgs update and nothing i've tried worked | 11:28:00 |
| chayleaf | (nix 2.18 btw) | 11:30:46 |
| chayleaf | the same nix code works fine when run from the hydra user's shell, even with restrict eval on (given the right nix-path in nix.conf) | 11:44:20 |
 Julien | did you try in your patch evalSettings.restrictEval = false; ? | 11:58:00 |
| Julien | I remember doing the same kind of things and it working | 11:58:12 |
| chayleaf | that didnt work either | 12:21:52 |
| chayleaf | uh, it appears i now have to disable pure eval? even though the message says the issue is about restricted mode | 12:33:05 |
| chayleaf | this is quite unfortunate | 12:33:10 |
| chayleaf | (for the record, my use case is nix-plugins) | 12:33:37 |
| Julien | Are you evaluating an absolute or relative path ? | 12:35:52 |
| chayleaf | im not evaluating anything at all, the path is simply loaded by nix-plugins | 14:56:09 |
| chayleaf | * im not (manually) evaluating anything at all, the path is simply loaded by nix-plugins | 14:56:54 |
| chayleaf | https://github.com/shlevy/nix-plugins/blob/a1b351aed22a8176fad02ee45adb8baa217a5b6e/extra-builtins.cc#L31 | 14:56:55 |
 John Ericson | Hydra master is now Nix 2.20 | 19:12:07 |
| John Ericson | nix-2.19 branch is the master --first-parent commit prior to that | 19:12:26 |
| John Ericson | nix-next is now the same as master but for a Flake update | 19:13:04 |
|  @erremilia:matrix.org left the room. | 19:56:05 |
| 31 Jan 2024 |
|  @federicodschonborn:matrix.org changed their profile picture. | 03:35:52 |
| @federicodschonborn:matrix.org changed their profile picture. | 06:21:39 |
|  @grossmap:in.tum.de joined the room. | 21:40:51 |
| 2 Feb 2024 |
|  Specx joined the room. | 07:11:00 |
 dustee | why after doing nix flake update now all my hydra projects report this error: access to URI 'github:NixOS/nixpkgs/902d74314fae5eb824bc7b597bd4d39640345557' is forbidden in restricted mode | 08:54:53 |
| dustee | * why after doing nix flake update now all my hydra projects report this
error: access to URI 'github:NixOS/nixpkgs/902d74314fae5eb824bc7b597bd4d39640345557' is forbidden in restricted mode | 08:55:06 |
| dustee | on that host i tried nix flake check --restrict-eval git+https://git.mydomain/owner/repo and it doesnt report any errors, so why does hydra that runs on that same host have problems? | 09:14:37 |
| dustee | * on that host i tried nix flake check --restrict-eval git+https://git.mydomain/owner/repo and it doesnt report any errors, so why does hydra that runs on that same host have problems? | 09:14:45 |
 ma27 | do hydra use the same nix version as the host itself?
you can check by nix --version on your host and what hydra shows in the bottom right corner. | 09:15:48 |
| dustee | nope different versions, host is nix (Nix) 2.18.1 and hydra is nix-2.19.3 | 09:17:52 |
| ma27 | yep and the behavior was changed in 2.19.3.
you'll need github: (and probably others) in your allowed-uris (nix.settings.allowed-uris iirc) | 09:19:18 |
| dustee | thanks that worked nix.settings.allowed-uris = ["github:" "git+"]; | 09:26:36 |
