Merge branch 'ca-no-need-trust' of https://github.com/obsidiansystems/nix
This commit is contained in:
Eelco Dolstra
commit
847a5392f4
2 changed files with 41 additions and 3 deletions
|
|
@ -454,8 +454,46 @@ static void performOp(TunnelLogger * logger, ref<Store> store,
|
||||||
readDerivation(from, *store, drv, Derivation::nameFromPath(drvPath));
|
readDerivation(from, *store, drv, Derivation::nameFromPath(drvPath));
|
||||||
BuildMode buildMode = (BuildMode) readInt(from);
|
BuildMode buildMode = (BuildMode) readInt(from);
|
||||||
logger->startWork();
|
logger->startWork();
|
||||||
if (!trusted)
|
|
||||||
throw Error("you are not privileged to build derivations");
|
/* Content-addressed derivations are trustless because their output paths
|
||||||
|
are verified by their content alone, so any derivation is free to
|
||||||
|
try to produce such a path.
|
||||||
|
|
||||||
|
Input-addressed derivation output paths, however, are calculated
|
||||||
|
from the derivation closure that produced them---even knowing the
|
||||||
|
root derivation is not enough. That the output data actually came
|
||||||
|
from those derivations is fundamentally unverifiable, but the daemon
|
||||||
|
trusts itself on that matter. The question instead is whether the
|
||||||
|
submitted plan has rights to the output paths it wants to fill, and
|
||||||
|
at least the derivation closure proves that.
|
||||||
|
|
||||||
|
It would have been nice if input-address algorithm merely depended
|
||||||
|
on the build time closure, rather than depending on the derivation
|
||||||
|
closure. That would mean input-addressed paths used at build time
|
||||||
|
would just be trusted and not need their own evidence. This is in
|
||||||
|
fact fine as the same guarantees would hold *inductively*: either
|
||||||
|
the remote builder has those paths and already trusts them, or it
|
||||||
|
needs to build them too and thus their evidence must be provided in
|
||||||
|
turn. The advantage of this variant algorithm is that the evidence
|
||||||
|
for input-addressed paths which the remote builder already has
|
||||||
|
doesn't need to be sent again.
|
||||||
|
|
||||||
|
That said, now that we have floating CA derivations, it is better
|
||||||
|
that people just migrate to those which also solve this problem, and
|
||||||
|
others. It's the same migration difficulty with strictly more
|
||||||
|
benefit.
|
||||||
|
|
||||||
|
Lastly, do note that when we parse fixed-output content-addressed
|
||||||
|
derivations, we throw out the precomputed output paths and just
|
||||||
|
store the hashes, so there aren't two competing sources of truth an
|
||||||
|
attacker could exploit. */
|
||||||
|
if (drv.type() == DerivationType::InputAddressed && !trusted)
|
||||||
|
throw Error("you are not privileged to build input-addressed derivations");
|
||||||
|
|
||||||
|
/* Make sure that the non-input-addressed derivations that got this far
|
||||||
|
are in fact content-addressed if we don't trust them. */
|
||||||
|
assert(derivationIsCA(drv.type()) || trusted);
|
||||||
|
|
||||||
auto res = store->buildDerivation(drvPath, drv, buildMode);
|
auto res = store->buildDerivation(drvPath, drv, buildMode);
|
||||||
logger->stopWork();
|
logger->stopWork();
|
||||||
to << res.status << res.errorMsg;
|
to << res.status << res.errorMsg;
|
||||||
|
|
|
||||||
|
|
@ -6,7 +6,7 @@ namespace nix {
|
||||||
#define WORKER_MAGIC_1 0x6e697863
|
#define WORKER_MAGIC_1 0x6e697863
|
||||||
#define WORKER_MAGIC_2 0x6478696f
|
#define WORKER_MAGIC_2 0x6478696f
|
||||||
|
|
||||||
#define PROTOCOL_VERSION 0x117
|
#define PROTOCOL_VERSION 0x118
|
||||||
#define GET_PROTOCOL_MAJOR(x) ((x) & 0xff00)
|
#define GET_PROTOCOL_MAJOR(x) ((x) & 0xff00)
|
||||||
#define GET_PROTOCOL_MINOR(x) ((x) & 0x00ff)
|
#define GET_PROTOCOL_MINOR(x) ((x) & 0x00ff)
|
||||||
|
|
||||||
|
|
|
||||||
Loading…
Reference in a new issue