about summary refs log tree commit diff
diff options
context:
space:
mode:
-rw-r--r--doc/manual/command-ref/conf-file.xml10
-rw-r--r--src/libexpr/primops.cc2
-rw-r--r--src/libstore/globals.cc2
-rw-r--r--src/libstore/globals.hh3
4 files changed, 17 insertions, 0 deletions
diff --git a/doc/manual/command-ref/conf-file.xml b/doc/manual/command-ref/conf-file.xml
index 96f8a4b608a4..b1b604100f98 100644
--- a/doc/manual/command-ref/conf-file.xml
+++ b/doc/manual/command-ref/conf-file.xml
@@ -644,6 +644,16 @@ password <replaceable>my-password</replaceable>
   </varlistentry>
 
 
+  <varlistentry xml:id="conf-allow-import-from-derivation"><term><literal>allow-import-from-derivation</literal></term>
+
+    <listitem><para>By default, nix allows you to <function>import</function> from a derivation,
+    allowing building at evaluation time. With this option set to false, nix will throw an error
+    when evaluating an expression that uses this feature, allowing users to ensure their evaluation
+    will not require any builds to take place.</para></listitem>
+
+  </varlistentry>
+
+
 </variablelist>
 
 </para>
diff --git a/src/libexpr/primops.cc b/src/libexpr/primops.cc
index 5a570cefb2fa..93097f3d1bf3 100644
--- a/src/libexpr/primops.cc
+++ b/src/libexpr/primops.cc
@@ -59,6 +59,8 @@ void EvalState::realiseContext(const PathSet & context)
             drvs.insert(decoded.first + "!" + decoded.second);
     }
     if (!drvs.empty()) {
+        if (!settings.enableImportFromDerivation)
+            throw EvalError(format("attempted to realize ‘%1%’ during evaluation but 'allow-import-from-derivation' is false") % *(drvs.begin()));
         /* For performance, prefetch all substitute info. */
         PathSet willBuild, willSubstitute, unknown;
         unsigned long long downloadSize, narSize;
diff --git a/src/libstore/globals.cc b/src/libstore/globals.cc
index fcd6347294ca..df537a51255a 100644
--- a/src/libstore/globals.cc
+++ b/src/libstore/globals.cc
@@ -70,6 +70,7 @@ Settings::Settings()
     enableImportNative = false;
     netrcFile = fmt("%s/%s", nixConfDir, "netrc");
     caFile = getEnv("NIX_SSL_CERT_FILE", getEnv("SSL_CERT_FILE", "/etc/ssl/certs/ca-certificates.crt"));
+    enableImportFromDerivation = true;
 }
 
 
@@ -185,6 +186,7 @@ void Settings::update()
     _get(keepGoing, "keep-going");
     _get(keepFailed, "keep-failed");
     _get(netrcFile, "netrc-file");
+    _get(enableImportFromDerivation, "allow-import-from-derivation");
 }
 
 
diff --git a/src/libstore/globals.hh b/src/libstore/globals.hh
index 1e6b7c083a62..7a9a9f6c0caa 100644
--- a/src/libstore/globals.hh
+++ b/src/libstore/globals.hh
@@ -198,6 +198,9 @@ struct Settings {
     /* Path to the SSL CA file used */
     Path caFile;
 
+    /* Whether we allow import-from-derivation */
+    bool enableImportFromDerivation;
+
 private:
     SettingsMap settings, overrides;