requireFile setting allowSubstitutes = false is backwards

Currently requireFile sets allowSubstitutes = false on all the derivations it produces. (since f194659). It reminds me a bit of this picture:

Presumably this was done because requireFile is expected to be used for non-redistributable files, so cache.nixos.org and other caches would not be allowed to host them. But there are two problems with this:

  • This is backwards; It prevents the builder from querying the cache, but it does not prevent someone from accidentally copying the derivation to a binary cache.
  • requireFile isn’t always used for non-redistributable files. Sometimes it’s used because there is no source offering a direct download, and so requireFile directs the user to a URL which requires a captcha or a sign-in or watch an ad or whatever. See for example apotheosis-x or upwork. There’s also liquidfun which probably shouldn’t be using requireFile…

Normally I’d just open a PR to remove allowSubstitutes but this needs to be “patched” from the other side first. That gets hairy very quickly, something like nix copy refuses to copy derivations where meta.licences includes unfree, but only if it’s a binary cache and not other kinds of stores? But none of the requireFile derivations currently set any licence information.

How do we fix this?

3 Likes

Generally, I see allowSubstitutes = false just as an optimization. It’s especially useful in those hosts of NixOS derivations that produce /etc contents.

1 Like