filtering sources does not work for naersk in flakes

[wucke13]

I find myself in a situation where I have a big project, which is partially rust. I'd like to pass some of the content in ./. to it, but not everything. Normally, I'd just do something like

{
  inputs.flake-utils.url = "github:numtide/flake-utils";
  outputs = { self, nixpkgs, flake-utils }:
  flake-utils.lib.eachDefaultSystem (system:
  let pkgs = nixpkgs.legacyPackages.${system}; in
  rec {
    packages.hello =
      with import nixpkgs { system = "x86_64-linux"; };
      stdenv.mkDerivation {
        name = "hello";
        src = builtins.filterSource (p: t: true) ./.;
        installPhase = ''ls > $out'';
      };
      defaultPackage = packages.hello;
    });
  }

(to check, simply git init; touch a;, write the text to a flake.nix and git add .). However, if I try the same approach with naersk, the build fails:

error: access to path '/nix/store/z5ls12qnx7k90iz9l1fgqpjp549hhcmm-vlsmzdlfwzxfsc7zfiikc77l1gq27fdz-source/Cargo.toml' is forbidden in restricted mode

      … while evaluating 'readTOML'

      at /nix/store/mgpp97agbjvmy3rcbvy6ps1hnxxgiccp-source/builtins/default.nix:13:23:

          12|
          13|   readTOML = usePure: f:
            |                       ^
          14|     if usePure then

      … from call site

      at /nix/store/mgpp97agbjvmy3rcbvy6ps1hnxxgiccp-source/config.nix:348:25:

         347|     # The top level Cargo.toml, either a workspace or package
         348|     toplevelCargotoml = readTOML (root + "/Cargo.toml");
            |                         ^
         349|

      … while evaluating the attribute 'packageName'

      at /nix/store/mgpp97agbjvmy3rcbvy6ps1hnxxgiccp-source/config.nix:353:5:

         352|
         353|     packageName =
            |     ^
         354|       if ! isNull attrs.name

      … while evaluating the attribute 'name'

      at /nix/store/mgpp97agbjvmy3rcbvy6ps1hnxxgiccp-source/build.nix:143:5:

         142|   drvAttrs = {
         143|     name = "${pname}-${version}";
            |     ^
         144|     inherit

      … while evaluating the derivation attribute 'name'

      at /nix/store/lmz6fwp507p30lr5j0ijm497k40g3ys7-source/pkgs/stdenv/generic/make-derivation.nix:197:11:

         196|         // (lib.optionalAttrs (attrs ? name || (attrs ? pname && attrs ? version)) {
         197|           name =
            |           ^
         198|             let

To reproduce, cargo init, add the following flake.nix and git add .

{
  inputs = {
    utils.url = "github:numtide/flake-utils";
    naersk.url = "github:nmattia/naersk";
  };

  outputs = { self, nixpkgs, utils, naersk}:
    utils.lib.eachSystem [ "x86_64-linux" "i686-linux" ] (system: let
      pkgs = nixpkgs.legacyPackages."${system}";
      naersk-lib = naersk.lib."${system}";
    in rec {
      packages.my-app = naersk-lib.buildPackage {
        pname = "app";
        src = builtins.filterSource (p: t: true) ./.;
        doCheck = true;
      };
      defaultPackage = packages.my-app;
    });
}

[tazjin]

This is reproducible without flakes, if restricted-eval is turned on and a source filter is used.

[Patryk27]

Hi, thanks for this detailed report - I'll take a look some time later 🙂

[tazjin]

This seems to be related to https://github.com/NixOS/nix/issues/3234

We've worked around it in TVL by constructing a fake root with only the Cargo.lock and Cargo.toml in it, which works fine.

[Patryk27]

🤔 I've just checked it and everything seems to be working properly, including nix build --restrict-eval (I'm running Nix 2.9.0pre20220505_f4102de); which Nix versions are y'all using?

[tazjin]

The issue is actually a Nix bug, and was fixed somewhere at 2.3 < x <= 2.8. This means it mostly affects people who don't use newer, flakes-centric Nix versions (i.e. ~ 2.3).

For others running into this issue, you can work around it by creating a store path that only contains your Cargo.toml and Cargo.lock and passing it as the root parameter to buildPackage, for example this solution.