[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
98/118: Add disallowedReferences / disallowedRequisites
|
From: |
Ludovic Courtès |
|
Subject: |
98/118: Add disallowedReferences / disallowedRequisites |
|
Date: |
Tue, 19 May 2015 14:45:57 +0000 |
civodul pushed a commit to branch nix
in repository guix.
commit 3bb89c3a31b9cf6e056f3659389e2d2e7afd17fa
Author: Eelco Dolstra <address@hidden>
Date: Thu Aug 28 18:57:13 2014 +0200
Add disallowedReferences / disallowedRequisites
For the "stdenv accidentally referring to bootstrap-tools", it seems
easier to specify the path that we don't want to depend on, e.g.
disallowedRequisites = [ bootstrapTools ];
---
nix/libstore/build.cc | 55 +++++++++++++++++++++++++-----------------------
1 files changed, 29 insertions(+), 26 deletions(-)
diff --git a/nix/libstore/build.cc b/nix/libstore/build.cc
index 133ea6d..6d90ce9 100644
--- a/nix/libstore/build.cc
+++ b/nix/libstore/build.cc
@@ -2350,33 +2350,36 @@ void DerivationGoal::registerOutputs()
debug(format("referenced input: `%1%'") % *i);
}
- /* If the derivation specifies an `allowedReferences'
- attribute (containing a list of paths that the output may
- refer to), check that all references are in that list. !!!
- allowedReferences should really be per-output. */
- if (drv.env.find("allowedReferences") != drv.env.end()) {
- PathSet allowed = parseReferenceSpecifiers(drv, get(drv.env,
"allowedReferences"));
- foreach (PathSet::iterator, i, references)
- if (allowed.find(*i) == allowed.end())
- throw BuildError(format("output (`%1%') is not allowed to
refer to path `%2%'") % actualPath % *i);
- }
+ /* Enforce `allowedReferences' and friends. */
+ auto checkRefs = [&](const string & attrName, bool allowed, bool
recursive) {
+ if (drv.env.find(attrName) == drv.env.end()) return;
+
+ PathSet spec = parseReferenceSpecifiers(drv, get(drv.env,
attrName));
+
+ PathSet used;
+ if (recursive) {
+ /* Our requisites are the union of the closures of our
references. */
+ for (auto & i : references)
+ /* Don't call computeFSClosure on ourselves. */
+ if (actualPath != i)
+ computeFSClosure(worker.store, i, used);
+ } else
+ used = references;
+
+ for (auto & i : used)
+ if (allowed) {
+ if (spec.find(i) == spec.end())
+ throw BuildError(format("output (`%1%') is not allowed
to refer to path `%2%'") % actualPath % i);
+ } else {
+ if (spec.find(i) != spec.end())
+ throw BuildError(format("output (`%1%') is not allowed
to refer to path `%2%'") % actualPath % i);
+ }
+ };
- /* If the derivation specifies an `allowedRequisites'
- attribute (containing a list of paths that the output may
- refer to), check that all requisites are in that list. !!!
- allowedRequisites should really be per-output. */
- if (drv.env.find("allowedRequisites") != drv.env.end()) {
- PathSet allowed = parseReferenceSpecifiers(drv, get(drv.env,
"allowedRequisites"));
- PathSet requisites;
- /* Our requisites are the union of the closures of our references.
*/
- foreach (PathSet::iterator, i, references)
- /* Don't call computeFSClosure on ourselves. */
- if (actualPath != *i)
- computeFSClosure(worker.store, *i, requisites);
- foreach (PathSet::iterator, i, requisites)
- if (allowed.find(*i) == allowed.end())
- throw BuildError(format("output (`%1%') is not allowed to
refer to requisite path `%2%'") % actualPath % *i);
- }
+ checkRefs("allowedReferences", true, false);
+ checkRefs("allowedRequisites", true, true);
+ checkRefs("disallowedReferences", false, false);
+ checkRefs("disallowedRequisites", false, true);
worker.store.optimisePath(path); // FIXME: combine with
scanForReferences()
- 103/118: nix-daemon: Close unnecessary fd, (continued)
- 103/118: nix-daemon: Close unnecessary fd, Ludovic Courtès, 2015/05/19
- 97/118: Introduce allowedRequisites feature, Ludovic Courtès, 2015/05/19
- 113/118: Clean up temp roots in a more C++ way, Ludovic Courtès, 2015/05/19
- 105/118: Remove some duplicate code, Ludovic Courtès, 2015/05/19
- 108/118: Improve error message if the daemon worker fails to start, Ludovic Courtès, 2015/05/19
- 100/118: Settings: Add bool get(), Ludovic Courtès, 2015/05/19
- 106/118: Improved error message when encountering unsupported file types, Ludovic Courtès, 2015/05/19
- 114/118: nix-daemon: Call exit(), not _exit(), Ludovic Courtès, 2015/05/19
- 99/118: Add an 'optimiseStore' remote procedure call., Ludovic Courtès, 2015/05/19
- 107/118: Fix build on gcc < 4.7, Ludovic Courtès, 2015/05/19
- 98/118: Add disallowedReferences / disallowedRequisites,
Ludovic Courtès <=
- 110/118: Make ~DerivationGoal more reliable, Ludovic Courtès, 2015/05/19
- 111/118: Don't use ADDR_LIMIT_3GB, Ludovic Courtès, 2015/05/19
- 115/118: Disable vacuuming the DB after garbage collection, Ludovic Courtès, 2015/05/19
- 117/118: Build derivations in a more predictable order, Ludovic Courtès, 2015/05/19
- 109/118: nix-store --gc: Don't warn about missing manifests directory, Ludovic Courtès, 2015/05/19
- 118/118: Don't wait for PID -1, Ludovic Courtès, 2015/05/19
- 112/118: Fix message, Ludovic Courtès, 2015/05/19
- 116/118: Don't create unnecessary substitution goals for derivations, Ludovic Courtès, 2015/05/19