NUR icon indicating copy to clipboard operation
NUR copied to clipboard

Published 20 hours ago verified publisher icon nix-community

Install as overlay?

Open danbst opened this issue 6 years ago • 3 comments

For me it works like this.

self: super:
let nur = import /home/danbst/dev/NUR { nurpkgs = self; pkgs = self; };
in {
    nur = nur;
}

I guess remark in the end describes why nix-community/NUR isn't composed as list of overlays, but for a newcomer (like me) it reads as "don't use NUR in overlay".

Also, publishing NUR as an overlay poses no security problems:

let
  danbst_overlay = self: super: {
    repos.danbst.mypkg = self.writeText "hello.txt" "hello world";
  };
  hacker_overlay = self: super: {
    repos.danbst.mypkg = self.writeText "hello.txt" "pwned";
  };
in self: super: {
  # this must be autogenerated
  repos.danbst = with danbst_overlay self super; repos.danbst or {};
  repos.hacker = with hacker_overlay self super; repos.hacker or {};  
}

$ cat $(nix-build '<nixpkgs>' -A repos.danbst.mypkg)
hello world

danbst avatar Jan 21 '19 19:01 danbst

There is a problem with evaluating untrusted nix code, probably in conjunction with nix-env -q or nix search. It could leak environment variables.

Mic92 avatar Jan 28 '19 10:01 Mic92

@Mic92 can you explain a bit more? In which case overlay is "less secure" then current situation?

danbst avatar Jan 28 '19 13:01 danbst

It is not less secure, but it is also not more secure. You can use it as an overlay if you want, I just don't see any advantages over the usage proposed in the README. I don't think you can compose different repositories at random because there is no coordination between those, so it is likely to break. In your example you also use repositories independent from each other.

Mic92 avatar Jan 28 '19 13:01 Mic92