-
-
Notifications
You must be signed in to change notification settings - Fork 1.5k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Use SourcePath for reading flake.{nix,lock} #10088
Conversation
Flakes still reside in the Nix store (so there shouldn't be any change in behaviour), but they are now accessed via the rootFS accessor. Since rootFS implements access checks, we no longer have to worry about flake.{nix,lock} or their parents being symlinks that escape from the flake. Extracted from the lazy-trees branch.
29747ae
to
598deb2
Compare
@edolstra Can we use |
@@ -55,16 +55,14 @@ struct LockFile | |||
ref<Node> root = make_ref<Node>(); | |||
|
|||
LockFile() {}; | |||
LockFile(const nlohmann::json & json, const Path & path); | |||
LockFile(std::string_view contents, std::string_view path); |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LockFile(std::string_view contents, std::string_view path); | |
LockFile(nlohmann::json json, std::string_view path); |
I think I would prefer that: let the caller parse and move in. Just as efficient, and keeps are more informative method type.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I don't think that would be better. To the caller the lockfile is just an opaque string. The fact that it's JSON is an implementation detail of LockFile
.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Well, the caller does want to know that toJSON()
and this are related by a round trip law, right?
I don't mind also exposing the current signature as a simple wrapper if it is easier for call sites.
Probably best not to do that right now, because it could change semantics if the paths seen by the evaluator are not in |
Wouldn't it only affect flakes, and only affect flakes that have bugs? Granted, legacy code should be usable through flakes, but maybe this particular issue is very minor. I think we could try that in 2.22, if 2.21 goes fairly well. |
#9852 This is the bug I am thinking of, FYI. |
This pull request has been mentioned on NixOS Discourse. There might be relevant details there: https://discourse.nixos.org/t/2024-03-04-nix-team-meeting-minute-130/40830/1 |
Motivation
Flakes still reside in the Nix store (so there shouldn't be any change in behaviour), but they are now accessed via the
rootFS
accessor. Since rootFS implements access checks, we no longer have to worry aboutflake.{nix,lock}
or their parents being symlinks that escape from the flake.Extracted from the lazy-trees branch.
Context
Priorities and Process
Add 👍 to pull requests you find important.
The Nix maintainer team uses a GitHub project board to schedule and track reviews.