Make safety checks optional and add nix-buffer-with-string#12
Make safety checks optional and add nix-buffer-with-string#12matthewbauer wants to merge 7 commits intoshlevy:masterfrom
Conversation
add-nix-buffer-with-string can be used to call nix-buffer with a
string so you don’t need to have a dir-locals.nix
This is how I set it up in a Haskell program: (put at the end of the file)
-- Local Variables:
-- eval: (nix-buffer-with-string "let pkgs = import <nixpkgs> {};
-- in pkgs.nixBufferBuilders.withPackages
-- [(pkgs.haskellPackages.ghcWithPackages (self: with self; [parsec QuickCheck hpc]))]")
-- End:
Fixes shlevy#8
Each file will have a unique Nix expression so use that as our ‘state-dir’ name
matthewbauer
changed the title
matthewbauer
changed the title
|
There's no security issue running nix-build, just on evaluating the results. |
|
(though probably eventually we should run it in restricted mode...) |
nix-buffer.el
Outdated
| (kill-buffer err-buf)))))) | ||
|
|
||
| (defun nix-buffer--nix-build (root expr-file) | ||
| (defun nix-buffer--nix-build (expr-file &optional root skip-safety) |
There was a problem hiding this comment.
I guess it will break anything that needs 'root' like haskellMonoRepo. My thinking was in the context of 'nix-buffer-with-string' you wouldn't want to have a 'root' path set. For instance, you could use it in a script that didn't have any directory or buffer associated.
nix-buffer.el
Outdated
| (defun nix-buffer-with-string (expression) | ||
| "Start ‘nix-buffer’ but with a string EXPRESSION." | ||
| (interactive) | ||
| (let ((expr-file (make-temp-file "nix-buffer"))) |
There was a problem hiding this comment.
Hm, can't we just use nix-build -E instead of making a temp file?
There was a problem hiding this comment.
Actually that's probably a good idea. I had thought it would save on code duplication but it won't make a big difference.
| (defun nix-buffer--nix-build (root expr-file) | ||
| "Start the nix build. | ||
| ROOT The path we started from. | ||
| EXPR-FILE The file containing the nix expression to build. |
|
Did you mean to drop the safety skipping? |
2 participants
By default safety checks are still performed. However, they are not performed when using nix-buffer-string because it is intended to be evaluated directly.
A question on the safety of nix-build though:
Is there a security concern with running arbitrary nix-build give that we have enabled:
?
It seems to me that nix-build should be safe to run by design (I guess it could eat up resources though).