[Nix-dev] is there something like unsafeImpureEnvVars?

[Ben Franksen]

Peter Simons wrote:
>  >> Fetching source over the network is the main reason fixed output
>  >> derivations even exist. When chroot builds are enabled, networking is
>  >> not allowed for non-fixed output derivations.
>  >
>  > Interesting, I did not know this.
>  >
>  > I agree that this policy makes sense for stuff that gets downloaded
>  > from the internet, and especially if you base a complete linux
>  > distribution on it (security considerations: you want to make sure that
>  > the source has not been tampered with).
> 
> another feature of fixed output derivations is that the $out hash
> does not depend on the commands that were used to generate $out. If a
> command like
> 
>    ${curl}/bin/curl http://example.org/foobar-1.1.tar.gz
> 
> would go into the $out hash -- like build scripts normally do ---, then
> source tarballs would have to be re-downloaded every time their URL
> changes. If curl ever changed, then we'd have to re-download everything!
> Fixed output derivations avoid this overhead (while also improving
> security somewhat, because we track hashes for our sources).

Hi Peter

exactly that thought occurred to me, too, lately; thanks for confirming it. 
I guess I'll have to see the Nix sources as some kind of database that 
associates module and version with a hash of the output to be on the safe 
(and efficient) side. I have some idea now how to do that, it's probably not 
as much work as I thought it might be.

Cheers
Ben
-- 
"Make it so they have to reboot after every typo." -- Scott Adams