about summary refs log tree commit diff
path: root/tests/secure-drv-outputs.nix
diff options
context:
space:
mode:
authorEelco Dolstra <eelco.dolstra@logicblox.com>2015-07-17T15·57+0200
committerEelco Dolstra <eelco.dolstra@logicblox.com>2015-07-17T15·57+0200
commit1511aa9f488ba0762c2da0bf8ab61b5fde47305d (patch)
treefc394f398be8d2aa4a040794618713a22179e9e0 /tests/secure-drv-outputs.nix
parentf39979c6d3e49b09aa82fea5e167d4253f63d71f (diff)
Allow remote builds without sending the derivation closure
Previously, to build a derivation remotely, we had to copy the entire
closure of the .drv file to the remote machine, even though we only
need the top-level derivation. This is very wasteful: the closure can
contain thousands of store paths, and in some Hydra use cases, include
source paths that are very large (e.g. Git/Mercurial checkouts).

So now there is a new operation, StoreAPI::buildDerivation(), that
performs a build from an in-memory representation of a derivation
(BasicDerivation) rather than from a on-disk .drv file. The only files
that need to be in the Nix store are the sources of the derivation
(drv.inputSrcs), and the needed output paths of the dependencies (as
described by drv.inputDrvs). "nix-store --serve" exposes this
interface.

Note that this is a privileged operation, because you can construct a
derivation that builds any store path whatsoever. Fixing this will
require changing the hashing scheme (i.e., the output paths should be
computed from the other fields in BasicDerivation, allowing them to be
verified without access to other derivations). However, this would be
quite nice because it would allow .drv-free building (e.g. "nix-env
-i" wouldn't have to write any .drv files to disk).

Fixes #173.
Diffstat (limited to 'tests/secure-drv-outputs.nix')
0 files changed, 0 insertions, 0 deletions