Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Passing store paths into functions from other flakes causes errors in pure evaluation mode #11030

Closed
endgame opened this issue Jul 3, 2024 · 3 comments · Fixed by #12045
Closed
Assignees
Labels
bug fetching Networking with the outside (non-Nix) world, input locking regression Something doesn't work anymore

Comments

@endgame
Copy link
Contributor

endgame commented Jul 3, 2024

Affected releases (non-exhaustive): Nix 2.20.6, Nix 2.21.2, Nix 2.22.1
Last unaffected release: Nix 2.19.4

It appears that recent versions of Nix have tightened pure evaluation mode. In the flake below, I pass a store path to a function from another flake, which used to work in older versions of Nix.

To reproduce, run nix build on the following flake:

{
  description = "Pass a store path to a flake";

  inputs = {
    nixpkgs.url = "github:nixos/nixpkgs";
    nix-freeze-tree.url = "git+https://git.sr.ht/~jack/nix-freeze-tree?rev=60e09710d6062d54d063c8488337c14d9d302d58";
  };

  outputs = inputs: {
    packages.x86_64-linux.default =
      let
        pkgs = inputs.nixpkgs.legacyPackages.x86_64-linux;

        step1 = pkgs.runCommand "step1" {} ''
          mkdir -p $out
          echo '19 + 23' > $out/theanswer
        '';

        step2 = inputs.nix-freeze-tree.lib.x86_64-linux.freeze step1;
      in
      step2;
  };
}

You should see error: access to absolute path '/nix/store/bhgy1rz0hi7b9anbnyr6zjgp0jh5dwrg-step1' is forbidden in pure evaluation mode (use '--impure' to override).

@roberth roberth added bug regression Something doesn't work anymore fetching Networking with the outside (non-Nix) world, input locking labels Jul 3, 2024
@roberth roberth added this to Nix team Jul 3, 2024
@github-project-automation github-project-automation bot moved this to To triage in Nix team Jul 3, 2024
@nixos-discourse
Copy link

This issue has been mentioned on NixOS Discourse. There might be relevant details there:

https://discourse.nixos.org/t/2024-07-03-nix-team-meeting-minutes-158/49097/1

@roberth
Copy link
Member

roberth commented Jul 15, 2024

Triaged 2024-07-03:

This may be an IFD-related problem, considering this import in nix-freeze-tree

Could also be caused by recent-ish changes in EvalState to use Source- / InputAccessor for allow-listing the accessible paths.

Maybe it's only allowing the direct references to the imported outputs; should be allowing whole closures.

Or maybe we should require

  • @Ericson2314: Also looks like they should be using builtins.storePath. Bugs aside, if you don't use that, and just havea /nix/store/.... path literal, that won't work with a chroot store.
  • EvalState should recognize that it's an ok store path to add context for.

Two flakes is not necessary. One flake is enough to reproduce.

Call chain is realisePath -> realiseContext -> addPath -> addPathPrefix; no computeFSClosure or similar. It should compute the closure.

  • @edolstra: EvalState::resolveLookupPathPath does add the entire closure of a path

This was not previously discovered because a lot of IFD only looks at the output, ignoring references.

@edolstra edolstra self-assigned this Jul 17, 2024
@edolstra edolstra removed this from Nix team Jul 17, 2024
@roberth roberth added this to Nix team Sep 22, 2024
@github-project-automation github-project-automation bot moved this to To triage in Nix team Sep 22, 2024
@endgame
Copy link
Contributor Author

endgame commented Oct 9, 2024

git bisect says that ea95327 is the breaking commit. I tested on a cloud VM by building nix from git, then using it to build the dodgy flake in the OP of this issue: cd ~/dodgy-flake && nix shell ${HOME}/nix#nix -c nix build --no-link and doing a full GC between checks.

gador added a commit to gador/bento that referenced this issue Oct 26, 2024
on newer nix versions (> 2.18) the "path:" settings
will lead to evaluation errors when the flake uses
symbolic links.

a typical error message would be:

`error: access to absolute path '/lib' is forbidden in pure evaluation
mode (use '--impure' to override)`

when `/lib` actually is `./lib`.

When "path:" is replaced by just using the flake's path
no evaluation error is shown. As per the man page of `nix flake`
the "path" attribute reffers to the local path of the flake.

This can just be removed (AFAIK) by referencing to the path as a
positional argument.

Possible related issues:
NixOS/nix#11030
original PR introducing the error message NixOS/nix#9497

Signed-off-by: Florian Brandes <[email protected]>
edolstra added a commit to DeterminateSystems/nix-src that referenced this issue Dec 13, 2024
edolstra added a commit to DeterminateSystems/nix-src that referenced this issue Dec 13, 2024
edolstra added a commit to DeterminateSystems/nix-src that referenced this issue Dec 16, 2024
@github-project-automation github-project-automation bot moved this from 🏁 Review to Done in Nix team Dec 16, 2024
mergify bot pushed a commit that referenced this issue Dec 16, 2024
Fixes #11030.

(cherry picked from commit 08361f0)

# Conflicts:
#	src/libexpr/eval.cc
#	tests/functional/import-from-derivation.nix
#	tests/functional/import-from-derivation.sh
mergify bot pushed a commit that referenced this issue Dec 16, 2024
Fixes #11030.

(cherry picked from commit 08361f0)

# Conflicts:
#	src/libexpr/eval.cc
#	tests/functional/import-from-derivation.nix
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
bug fetching Networking with the outside (non-Nix) world, input locking regression Something doesn't work anymore
Projects
Archived in project
Development

Successfully merging a pull request may close this issue.

4 participants