about summary refs log tree commit diff
path: root/doc
diff options
context:
space:
mode:
Diffstat (limited to 'doc')
-rw-r--r--doc/manual/command-ref/conf-file.xml18
-rw-r--r--doc/manual/release-notes/rl-1.12.xml8
2 files changed, 25 insertions, 1 deletions
diff --git a/doc/manual/command-ref/conf-file.xml b/doc/manual/command-ref/conf-file.xml
index 6b90083f0873..fb4d8cefc4d2 100644
--- a/doc/manual/command-ref/conf-file.xml
+++ b/doc/manual/command-ref/conf-file.xml
@@ -563,7 +563,8 @@ password <replaceable>my-password</replaceable>
       <para>If set to <literal>true</literal>, the Nix evaluator will
       not allow access to any files outside of the Nix search path (as
       set via the <envar>NIX_PATH</envar> environment variable or the
-      <option>-I</option> option). The default is
+      <option>-I</option> option), or to URIs outside of
+      <option>allowed-uri</option>. The default is
       <literal>false</literal>.</para>
 
     </listitem>
@@ -571,6 +572,21 @@ password <replaceable>my-password</replaceable>
   </varlistentry>
 
 
+  <varlistentry xml:id="conf-allowed-uris"><term><literal>allowed-uris</literal></term>
+
+    <listitem>
+
+      <para>A list of URI prefixes to which access is allowed in
+      restricted evaluation mode. For example, when set to
+      <literal>https://github.com/NixOS</literal>, builtin functions
+      such as <function>fetchGit</function> are allowed to access
+      <literal>https://github.com/NixOS/patchelf.git</literal>.</para>
+
+    </listitem>
+
+  </varlistentry>
+
+
   <varlistentry xml:id="conf-pre-build-hook"><term><literal>pre-build-hook</literal></term>
 
     <listitem>
diff --git a/doc/manual/release-notes/rl-1.12.xml b/doc/manual/release-notes/rl-1.12.xml
index 609dcef6b49e..7c9a8b75ecee 100644
--- a/doc/manual/release-notes/rl-1.12.xml
+++ b/doc/manual/release-notes/rl-1.12.xml
@@ -418,6 +418,14 @@ configureFlags = "--prefix=${placeholder "out"} --includedir=${placeholder "dev"
     through the MELPA package repository.</para>
   </listitem>
 
+  <listitem>
+    <para>In restricted evaluation mode
+    (<option>--restrict-eval</option>), builtin functions that
+    download from the network (such as <function>fetchGit</function>)
+    are permitted to fetch underneath the list of URI prefixes
+    specified in the option <option>allowed-uris</option>.</para>
+  </listitem>
+
 </itemizedlist>
 
 <para>This release has contributions from TBD.</para>