-
-
Notifications
You must be signed in to change notification settings - Fork 1.5k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Make builtins.fetchClosure
non-experimental
#8963
base: master
Are you sure you want to change the base?
Conversation
I am not sure I am quite ready for this. I would like to "deeply nar hash" input-addresed closures with a single hash. |
That seems like an extension more than a breaking change. Could you explain the problem that "deeply" hashing would solve? |
AFIAK the input addressing vs content addressing check is only on the root store object, we have no guarantees about what it references, and what its contents might be. As I understand it, the whole business about adding trusted substituters around this was because we were uncomfortable with this stuff in pure eval mode. I think we are now more OK with it, but then I don't really see why listing substituters is associated with this feature: it is generally useful to hint at where things can be obtained, and that should have nothing to do with this or any sort of security story. Basically I think the current Instead what I would like to see is something like:
|
builtins.fetchClosure
non-experimental
Regarding factoring out a (string context) featureI don't think the existence of The risk of stabilizing this feature is very small, considering the small surface area, and I think we should be careful about picking our battles. If we're going to factor out features, we better do the big ones first, and I wouldn't take this one hostage until that's done. We have other cases where some builtins aren't necessary anymore, and these builtins have provided massive value to users that allows us to move things forward today.
Regarding CA
I believe we do actually guarantee that the contents are CA all the way down if the caller doesn't allow input addressing. If you have a certain scenario in mind where more such enforcement is needed, please elaborate why that should be a blocker. Otherwise, I'm rather skeptical that we should block this on a hypothetical requirement from a hypothetical CA-using community. That feature is after all still experimental, largely undocumented and painful to use because it's not in |
src/libutil/experimental-features.cc
Outdated
.description = R"( | ||
Enable the use of the [`fetchClosure`](@docroot@/language/builtins.md#builtins-fetchClosure) built-in function in the Nix language. | ||
)", | ||
}, |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Is this the process for stabilizing a feature? I think we should silently ignore it until well after, because they're harmless and that way users can use mixed Nix versions with the same config without getting annoyed with non actionable warnings.
I guess we did it this way in #8322
Maybe we could have a list of ignored features so that we don't warn for those?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I don't think we did it in #8322, but that seems to be a great idea.
I think we can just keep the experimental flag and mark it as deprecated with no effect. Or have an extra field specifying that it should be enabled by default
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I wasn't sure about it, but reverted that part for now, it really doesn't feel nice to give people a warning for this case.
I'm unsure how deprecating works for experimental features though.
From a quick look, I am very open to the idea that I am picking an unnecessary battle :). But I don't think the main thing I mentioned, the "deep nar hashing" would be too hard either? |
I agree with @roberth, let us not have the best be the enemy of the good. This is a valuable feature for a number of people and we shouldn't delay it forever because we could possibly make it better at some point in the future |
To flip it around, if Stepping back a bit, this primop is currently 3 things in 1 (for understandable reasons, don't get me wrong). Which way(s) do people actually use it? |
Just to be clear, I very much don't mean to be saying anything like "just wait for content-addressed derivations". I think this whole business of downloading proprietary/black-box software is more complex than it needs to be because we haven't decided on what store objects actually are, but conversely anything we do decide on has to include input-addressed ones too. Put another way, I think that asking people to do no input-addressing any time soon is unrealistic --- even in a CA by default world, there will be things for which store path rewriting doesn't work, and thus we'll need some predetermined (whether input addressed or randomized, hardly matters) store paths. The "deep NAR hash" is basically admitting we need to be able to refer to entire closure of block-box store objects whether those are content-addressed, input-addressed, or a mix; that we can't wait for everywhere content-addressed store paths to save us. |
This pull request has been mentioned on NixOS Discourse. There might be relevant details there: https://discourse.nixos.org/t/2023-09-15-nix-team-meeting-minutes-86/33171/1 |
After talking to @roberth more, #5868 (comment) this is my preferred solution --- I think |
From Nix Team discussion:
Remaining hesitancy and questsions
|
Just wanted to say that we've been using this function for months now in https://github.com/input-output-hk/capkgs and it significantly speeds up our development and deployment. |
#11919 finally wrote up the design for "deep NAR hashing". The idea is since one of these hashes can verify a closure, regardless of whether it contains any input-addressed stuff, it is a solution for making |
Motivation
builtins.fetchClosure
has been around for quite some time already, and is used by various people without any issues.I think this should finally be removed from the list of experimental features.
Context
This should be a rather trivial change. Pinging @roberth for review.
Priorities
Add 👍 to pull requests you find important.