fetchClosure: input addressed and pure
#8370
Conversation
roberth
added
the
idea approved
github-actions
bot
added
the
with-tests
roberth
changed the title
fetchClosure: input addressed and pure
roberth
force-pushed
the
fetchClosure-input-addressed
branch
from
6542be8
to
3e3ad34
Compare
|
Last commit I think warrants additional tests. |
|
After this PR, I think it would be good to break up the implementation function into multiple functions. We could use a |
|
This pull request has been mentioned on NixOS Discourse. There might be relevant details there: https://discourse.nixos.org/t/2023-05-19-nix-team-meeting-minutes-56/28446/1 |
|
This pull request has been mentioned on NixOS Discourse. There might be relevant details there: https://discourse.nixos.org/t/2023-05-22-nix-team-meeting-minutes-57/28447/1 |
roberth
force-pushed
the
fetchClosure-input-addressed
branch
from
3e3ad34
to
879ebb6
Compare
roberth
force-pushed
the
fetchClosure-input-addressed
branch
from
f4c8ee3
to
3bb5c6c
Compare
src/libexpr/primops/fetchClosure.cc
Outdated
| If `fromPath` is already content-addressed, or if you are | ||
| allowing impure evaluation (`--impure`), then `toPath` may be | ||
| omitted. | ||
| By rewriting the store paths, you can add the contents to any store without requiring that you or perhaps your users configure any extra trust. |
There was a problem hiding this comment.
Explanation of trust not entirely in scope for this piece of documentation. New section TBD:
|
Code looks great now, but do we need more tests and release notes? |
roberth
force-pushed
the
fetchClosure-input-addressed
branch
from
3bb5c6c
to
e7053b9
Compare
I did add a little release note
Does that look ok to you? All I could think of adding is instructions, but I think the linked reference docs should cover that, as well as the error messages.
The basics are covered, but I'll have another look at it. |
src/libexpr/primops/fetchClosure.cc
Outdated
| **Rewriting a store path** | ||
|
|
||
| This first example fetches `/nix/store/r2jd...` from the specified binary cache, | ||
| and rewrites it into the content-addressed store path | ||
| `/nix/store/ldbh...`. | ||
|
|
||
| If `fromPath` is already content-addressed, or if you are | ||
| allowing impure evaluation (`--impure`), then `toPath` may be | ||
| omitted. | ||
| By rewriting the store paths, you can add the contents to any store without requiring that you or perhaps your users configure any extra trust. |
There was a problem hiding this comment.
I'd omit all this. The first example is explained by the line introducing it. Let's not go into recommendations here until we explain trust and that stuff somewhere first. Let's focus on providing the mechanism and showing how it's used.
|
Sorry I missed the release note: I was reviewing too tired :/. For the tests I might be underestimating how good they were before, but it seems now are more systematic about error checking and thus there are a number of failure modes to test? |
|
This pull request has been mentioned on NixOS Discourse. There might be relevant details there: https://discourse.nixos.org/t/2023-06-05-nix-team-meeting-minutes-60/28933/1 |
roberth
force-pushed
the
fetchClosure-input-addressed
branch
2 times, most recently
from
e3b22c3
to
1224fbd
Compare
|
I'll make this draft and then @roberth can undraft it when I should review it again. |
When explicitly requested by the caller, as suggested in the meeting (NixOS#8090 (comment)) > @edolstra: { toPath } vs { fromPath } is too implicit I've opted for the `inputAddressed = true` requirement, because it we did not agree on renaming the path attributes. > @roberth: more explicit > @edolstra: except for the direction; not immediately clear in which direction the rewriting happens This is in fact the most explicit syntax and a bit redundant, which is good, because that redundancy lets us deliver an error message that reminds expression authors that CA provides a better experience to their users.
A single variable is nice and self-contained.
Co-authored-by: Valentin Gagarin <[email protected]>
We should check error messages, so that we know the command fails for the right reason. Alternatively, a mere typo can run the test undetected.
roberth
force-pushed
the
fetchClosure-input-addressed
branch
from
1224fbd
to
fefb947
Compare
Co-authored-by: Valentin Gagarin <[email protected]>
Done. They are now interleaved with the docs that describe those invocations; no more "overview" means less switching between the three "use cases" and less repetition. You can still get the overview by looking at just the headers and/or just the examples. |
roberth
force-pushed
the
fetchClosure-input-addressed
branch
from
940e9c9
to
9fc82de
Compare
Motivation
Input addressed binary dependencies are not impure, so requiring
--impurefor them would open users up to actual impurities, which is counterproductive. Instead, we accept the fact that a trusted key may be required, but we do remind expression authors that CA does not require this.Context
Follow-up to #8090 (comment)
Checklist for maintainers
Maintainers: tick if completed or explain if not relevant
tests/**.shsrc/*/teststests/nixos/*Priorities
Add 👍 to pull requests you find important.