Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

flakes: Locking on effective urls breaks fetching github releases (and probably other things) #4672

Closed
johnae opened this issue Mar 26, 2021 · 7 comments
Closed

flakes: Locking on effective urls breaks fetching github releases (and probably other things) #4672

johnae opened this issue Mar 26, 2021 · 7 comments
Labels
bug

Comments

@johnae
Copy link
Contributor

johnae commented Mar 26, 2021
edited
Loading

Describe the bug

Before #4595 was merged we used flakes to lock and fetch github releases. Github uses redirects to so-called signed urls which expire after some time. This means that any flake.lock will, after the merge of #4595, contain unusable urls.

The intention of the merged pull request seems to have been to enable locking of nixos channels which ALSO uses redirects but for a different purpose. I see how that might be useful but I still question the point of enabling the use of nixos channels when flakes are supposed to replace them in the end.

In any case - that merge broke many of of our projects so that we cannot update flake inputs anymore unless we use an older version of Nix.

Steps To Reproduce

  1. Use a Nix version after pull request 4595 was merged
  2. Add an input to a github release, for example:
{
   inputs.fluxcd-x86_64-linux = {
    url = "https://github.com/fluxcd/flux2/releases/download/v0.10.0/flux_0.10.0_linux_amd64.tar.gz";
    flake = false;
  };
}
  1. Lock that input by running nix flake update.
  2. See how the locked url is actually a signed expiring url

Expected behavior

The old behavior of NOT following the redirect.

nix-env --version nix-env (Nix) 2.4pre20210317_8a5203d
@johnae johnae added the bug label Mar 26, 2021
@johnae johnae changed the title Locking on effective urls breaks fetching github releases (and probably other things) flakes: Locking on effective urls breaks fetching github releases (and probably other things) Mar 29, 2021
@dramforever
Copy link
Contributor

As the author of #4595, I was unaware of this situation and I think it is fine to revert it

@fogti
Copy link
Contributor

fogti commented Apr 2, 2021

Would it be possible to introduce a switch (e.g. similiar to .flake = false) which would optionally enable the "effective url locking" behavoir?

@dramforever
Copy link
Contributor

I don't think it's worth it, considering that using redirect to work with channels is pretty niche, and it's also surprising.

Any other use case for locking on the redirect destination?

@fogti
Copy link
Contributor

fogti commented Apr 2, 2021

I don't know of any other case... and working with channels in flakes is probably also rather niche...

@L-as
Copy link
Member

L-as commented Apr 9, 2021

You could have a channel type instead of having some switch, which would work like tarball except have the functionality of the PR.

dramforever added a commit to dramforever/nix that referenced this issue Apr 9, 2021
@dramforever
Revert "libfetchers/tarball: Lock on effectiveUrl"
0e483aa 
This reverts commit fc6bfb2.

Locking on the redirect destination proved to be problematic for some
URLs. For example, GitHub releases downloads redirect to URLs that
expire after some time, which would be broken by this behavior.

Fixes NixOS#4672.
@dramforever dramforever mentioned this issue Apr 9, 2021
Closed
@dramforever
Copy link
Contributor

dramforever commented Apr 9, 2021
edited
Loading

I'm leaning on not implementing this feature now and reverting #4595

cc @edolstra, who originally merged #4595. What do you think? Sorry for the noise...

@edolstra
Copy link
Member

edolstra commented Apr 9, 2021

Thanks, I've reverted it.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Revert #4595: libfetchers/tarball: Lock on effectiveUrl dramforever/nix
5 participants
@johnae @edolstra @fogti @dramforever @L-as