diff options
-rw-r--r-- | doc/manual/conf-file.xml | 16 | ||||
-rw-r--r-- | scripts/download-from-binary-cache.pl.in | 11 |
2 files changed, 24 insertions, 3 deletions
diff --git a/doc/manual/conf-file.xml b/doc/manual/conf-file.xml index 4629e8eae0c1..932c339ebb61 100644 --- a/doc/manual/conf-file.xml +++ b/doc/manual/conf-file.xml @@ -350,13 +350,25 @@ flag, e.g. <literal>--option gc-keep-outputs false</literal>.</para> whitespace. These are not used by default, but can be enabled by users of the Nix daemon by specifying <literal>--option binary-caches <replaceable>urls</replaceable></literal> on the - command line. Daemon users are only allowed to pass a subset of - the URLs listed in <literal>binary-caches</literal> and + command line. Unprivileged users are only allowed to pass a + subset of the URLs listed in <literal>binary-caches</literal> and <literal>trusted-binary-caches</literal>.</para></listitem> </varlistentry> + <varlistentry><term><literal>extra-binary-caches</literal></term> + + <listitem><para>Additional binary caches appended to those + specified in <option>binary-caches</option> and + <option>binary-caches-files</option>. When used by unprivileged + users, untrusted binary caches (i.e. those not listed in + <option>trusted-binary-caches</option>) are silently + ignored.</para></listitem> + + </varlistentry> + + <varlistentry><term><literal>binary-caches-parallel-connections</literal></term> <listitem><para>The maximum number of parallel HTTP connections diff --git a/scripts/download-from-binary-cache.pl.in b/scripts/download-from-binary-cache.pl.in index e47457551841..a511f65b4348 100644 --- a/scripts/download-from-binary-cache.pl.in +++ b/scripts/download-from-binary-cache.pl.in @@ -208,12 +208,15 @@ sub getAvailableCaches { push @urls, strToList($url); } + push @urls, strToList($Nix::Config::config{"extra-binary-caches"} // ""); + # Allow Nix daemon users to override the binary caches to a subset # of those listed in the config file. Note that ‘untrusted-*’ # denotes options passed by the client. + my @trustedUrls = uniq(@urls, strToList($Nix::Config::config{"trusted-binary-caches"} // "")); + if (defined $Nix::Config::config{"untrusted-binary-caches"}) { my @untrustedUrls = strToList $Nix::Config::config{"untrusted-binary-caches"}; - my @trustedUrls = uniq(@urls, strToList($Nix::Config::config{"trusted-binary-caches"} // "")); @urls = (); foreach my $url (@untrustedUrls) { die "binary cache ‘$url’ is not trusted (please add it to ‘trusted-binary-caches’ [@trustedUrls] in $Nix::Config::confDir/nix.conf)\n" @@ -222,6 +225,12 @@ sub getAvailableCaches { } } + my @untrustedUrls = strToList $Nix::Config::config{"untrusted-extra-binary-caches"}; + foreach my $url (@untrustedUrls) { + next unless scalar(grep { $url eq $_ } @trustedUrls) > 0; + push @urls, $url; + } + foreach my $url (uniq @urls) { # FIXME: not atomic. |