diff options
-rw-r--r-- | doc/manual/command-ref/conf-file.xml | 10 | ||||
-rw-r--r-- | src/libexpr/primops.cc | 2 | ||||
-rw-r--r-- | src/libstore/globals.cc | 2 | ||||
-rw-r--r-- | src/libstore/globals.hh | 3 |
4 files changed, 17 insertions, 0 deletions
diff --git a/doc/manual/command-ref/conf-file.xml b/doc/manual/command-ref/conf-file.xml index 96f8a4b608a4..b1b604100f98 100644 --- a/doc/manual/command-ref/conf-file.xml +++ b/doc/manual/command-ref/conf-file.xml @@ -644,6 +644,16 @@ password <replaceable>my-password</replaceable> </varlistentry> + <varlistentry xml:id="conf-allow-import-from-derivation"><term><literal>allow-import-from-derivation</literal></term> + + <listitem><para>By default, nix allows you to <function>import</function> from a derivation, + allowing building at evaluation time. With this option set to false, nix will throw an error + when evaluating an expression that uses this feature, allowing users to ensure their evaluation + will not require any builds to take place.</para></listitem> + + </varlistentry> + + </variablelist> </para> diff --git a/src/libexpr/primops.cc b/src/libexpr/primops.cc index 5a570cefb2fa..93097f3d1bf3 100644 --- a/src/libexpr/primops.cc +++ b/src/libexpr/primops.cc @@ -59,6 +59,8 @@ void EvalState::realiseContext(const PathSet & context) drvs.insert(decoded.first + "!" + decoded.second); } if (!drvs.empty()) { + if (!settings.enableImportFromDerivation) + throw EvalError(format("attempted to realize ‘%1%’ during evaluation but 'allow-import-from-derivation' is false") % *(drvs.begin())); /* For performance, prefetch all substitute info. */ PathSet willBuild, willSubstitute, unknown; unsigned long long downloadSize, narSize; diff --git a/src/libstore/globals.cc b/src/libstore/globals.cc index fcd6347294ca..df537a51255a 100644 --- a/src/libstore/globals.cc +++ b/src/libstore/globals.cc @@ -70,6 +70,7 @@ Settings::Settings() enableImportNative = false; netrcFile = fmt("%s/%s", nixConfDir, "netrc"); caFile = getEnv("NIX_SSL_CERT_FILE", getEnv("SSL_CERT_FILE", "/etc/ssl/certs/ca-certificates.crt")); + enableImportFromDerivation = true; } @@ -185,6 +186,7 @@ void Settings::update() _get(keepGoing, "keep-going"); _get(keepFailed, "keep-failed"); _get(netrcFile, "netrc-file"); + _get(enableImportFromDerivation, "allow-import-from-derivation"); } diff --git a/src/libstore/globals.hh b/src/libstore/globals.hh index 1e6b7c083a62..7a9a9f6c0caa 100644 --- a/src/libstore/globals.hh +++ b/src/libstore/globals.hh @@ -198,6 +198,9 @@ struct Settings { /* Path to the SSL CA file used */ Path caFile; + /* Whether we allow import-from-derivation */ + bool enableImportFromDerivation; + private: SettingsMap settings, overrides; |