On Sun, Dec 27, 2009 at 00:53, Marc Weber <[email protected]> wrote: > Excerpts from Michael Raskin's message of Sat Dec 26 15:06:44 +0100 2009: >> -----BEGIN PGP SIGNED MESSAGE----- >> Hash: SHA1 >> >> Nicolas Pierron wrote: >> > I though multiple times of this issues. I see an other solution which >> > implies the implementation of the following rules: >> > >> > - Restricted file/data should not be copied into the store and >> > should cause the failure of the build process. >> > - The permission of a derivation correspond to the intersection of >> > all dependencies permissions. >> >> Or easier.. One can mark derivation "restricted". Then it is only >> readable to Nix daemon and root. > > I don't think this will work. > > You can write this derivation: > > > mkDerivation { > name ="getpasswords"; > derivation = "/nix/store/xxxxxxxxxxxxxxxxxxxxxxxxxxx-the-passwords"; > > buildPhase = '' > cp -r $derivation /tmp > chmod -R 777 $derivation > ''; > } > > Or do you want to prohibit reusing "restricted" derivations ? > > Michael Raskin: Yes, I thought about kind of propagating some restricted > feature as well. But I'd like to use KISS (keep it stupid simple). > Adding a writeFile would solve the problem and everyone can understand > it. > > So I hope nobody minds me adding such a primop.
I think you should wait for the answer of the Nix Guru. Such prim-op breaks the concept that Nix only write data inside the Nix store. Other wrappers are made to handle links to the store. -- Nicolas Pierron http://www.linkedin.com/in/nicolasbpierron - http://nbp.name/ Lars Rasmussen (Google IO 2009) - Icland is an icland. _______________________________________________ nix-dev mailing list [email protected] https://mail.cs.uu.nl/mailman/listinfo/nix-dev
