disable redistribution of proprietary software via Hydra #26

Closed
opened 2020-06-11 16:51:15 +08:00 by sb10q · 11 comments
Owner

WFVM is going to load the nixbld.m-labs.hk Nix store with proprietary crapware from Micro$oft (Win10, Visual Studio), and Hydra distributes it publicly, which goes against the EULAs.

I propose to solve this by adding an attribute on derivations that blocks Hydra downloads.

Ideally, downloads from the M-Labs LAN should still be available, in order to facilitate troubleshooting Windoze-related issues.

WFVM is going to load the nixbld.m-labs.hk Nix store with proprietary crapware from Micro$oft (Win10, Visual Studio), and Hydra distributes it publicly, which goes against the EULAs. I propose to solve this by adding an attribute on derivations that blocks Hydra downloads. Ideally, downloads from the M-Labs LAN should still be available, in order to facilitate troubleshooting Windoze-related issues.
Author
Owner
https://github.com/NixOS/hydra/issues/143
Author
Owner
Here is an example of the URLs that are fetched from client Nix stores: * https://nixbld.m-labs.hk/nsv6ygbcpm16j9zp6zm62w1z7v0j4p4y.narinfo * https://nixbld.m-labs.hk/nar/nsv6ygbcpm16j9zp6zm62w1z7v0j4p4y-conda-asyncserial Seems to be handled here in Hydra: * https://github.com/NixOS/hydra/blob/master/src/lib/Hydra/View/NARInfo.pm * https://github.com/NixOS/hydra/blob/master/src/lib/Hydra/View/NixNAR.pm
Author
Owner

Should be a matter of returning 404 Not Found for both hash.narinfo and /nar/hash*

Should be a matter of returning 404 Not Found for both hash.narinfo and /nar/hash*
Author
Owner
The error handling is done in the callers here: * https://github.com/NixOS/hydra/blob/0b300e80ad579481fca3663e56356924b8a628e5/src/lib/Hydra/Controller/Root.pm#L350 * https://github.com/NixOS/hydra/blob/0b300e80ad579481fca3663e56356924b8a628e5/src/lib/Hydra/Controller/Root.pm#L309
Author
Owner

A simple solution could be to add an empty /nix-support/do-not-distribute file into the derivation outputs. Getting the meta info of the package (with the license) seems more difficult.

A simple solution could be to add an empty ``/nix-support/do-not-distribute`` file into the derivation outputs. Getting the meta info of the package (with the license) seems more difficult.
Contributor
diff --git src/lib/Hydra/Controller/Root.pm src/lib/Hydra/Controller/Root.pm
index a9b0d558..b77a7fc3 100644
--- a/src/lib/Hydra/Controller/Root.pm
+++ b/src/lib/Hydra/Controller/Root.pm
@@ -319,6 +319,7 @@ sub nar :Local :Args(1) {
         $path = $Nix::Config::storeDir . "/$path";
 
         gone($c, "Path " . $path . " is no longer available.") unless isValidPath($path);
+        notFound($c, "Do not distribute") if -e "$path/nix-support/do-not-distribute";
 
         $c->stash->{current_view} = 'NixNAR';
         $c->stash->{storePath} = $path;
@@ -368,6 +369,7 @@ sub narinfo :LocalRegex('^([a-z0-9]+).narinfo$') :Args(0) {
             setCacheHeaders($c, 60 * 60);
             return;
         }
+        notFound($c, "Do not distribute") if -e "$path/nix-support/do-not-distribute";
 
         $c->stash->{storePath} = $path;
         $c->forward('Hydra::View::NARInfo');

I am about to test this before committing but Hydra doesn't build for me right now, neither on 20.03 nor on master. Ok, hydra-2020-06-23 builds successfully for me...

```diff diff --git src/lib/Hydra/Controller/Root.pm src/lib/Hydra/Controller/Root.pm index a9b0d558..b77a7fc3 100644 --- a/src/lib/Hydra/Controller/Root.pm +++ b/src/lib/Hydra/Controller/Root.pm @@ -319,6 +319,7 @@ sub nar :Local :Args(1) { $path = $Nix::Config::storeDir . "/$path"; gone($c, "Path " . $path . " is no longer available.") unless isValidPath($path); + notFound($c, "Do not distribute") if -e "$path/nix-support/do-not-distribute"; $c->stash->{current_view} = 'NixNAR'; $c->stash->{storePath} = $path; @@ -368,6 +369,7 @@ sub narinfo :LocalRegex('^([a-z0-9]+).narinfo$') :Args(0) { setCacheHeaders($c, 60 * 60); return; } + notFound($c, "Do not distribute") if -e "$path/nix-support/do-not-distribute"; $c->stash->{storePath} = $path; $c->forward('Hydra::View::NARInfo'); ``` I am about to test this before committing ~~but Hydra doesn't build for me right now, neither on 20.03 nor on master~~. Ok, hydra-2020-06-23 builds successfully for me...
Author
Owner

Nitpick: restrict-distribution seems to be a better name than do-not-distribute.

There has been some mess with Hydra recently, the recommended package is now called hydra-unstable and it builds as of 20.03.2176.a84b797b28e.

Nitpick: ``restrict-distribution`` seems to be a better name than ``do-not-distribute``. There has been some mess with Hydra recently, the recommended package is now called ``hydra-unstable`` and it builds as of 20.03.2176.a84b797b28e.
Author
Owner

Is the Windows ISO redistributable? What about the VS bootstrap installer?
We may still have a problem with fetchurl, and the fetchurl store paths are clearly visible e.g. https://nixbld.m-labs.hk/build/69946/nixlog/27

Is the Windows ISO redistributable? What about the VS bootstrap installer? We may still have a problem with ``fetchurl``, and the fetchurl store paths are clearly visible e.g. https://nixbld.m-labs.hk/build/69946/nixlog/27
Author
Owner

A simple hack - that would work also for fetchurl - would be to start the relevant derivation names with "RESTRICTDIST" :)
e.g. /nix/store/pf3jkpq8nxycv4a3i5z4rnbp1wx512bx-RESTRICTDIST-windows10.iso

A simple hack - that would work also for fetchurl - would be to start the relevant derivation names with "RESTRICTDIST" :) e.g. /nix/store/pf3jkpq8nxycv4a3i5z4rnbp1wx512bx-RESTRICTDIST-windows10.iso
Contributor

RESTRICTDIST in the name is a good idea as that allows the feature for Nix store entries that are not directories.

fetchurl accepts an additional name attribute which I made use of in #30.

`RESTRICTDIST` in the name is a good idea as that allows the feature for Nix store entries that are not directories. `fetchurl` accepts an additional `name` attribute which I made use of in #30.
Author
Owner
It works! https://nixbld.m-labs.hk/nar/xks67i4frg8k7rmlv5298aac0s4n5nih-RESTRICTDIST-release_svc_refresh_CLIENT_LTSC_EVAL_x64FRE_en-us.iso
sb10q closed this issue 2020-06-27 17:16:04 +08:00
Sign in to join this conversation.
No Label
No Milestone
No Assignees
2 Participants
Notifications
Due Date
The due date is invalid or out of range. Please use the format 'yyyy-mm-dd'.

No due date set.

Dependencies

No dependencies set.

Reference: M-Labs/nix-scripts#26
No description provided.