M-Labs
/
nix-scripts
9
0
Fork 9
Code Issues 6 Pull Requests Releases Wiki Activity

disable redistribution of proprietary software via Hydra #26

New Issue
Closed
opened 2020-06-11 16:51:15 +08:00 by sb10q · 11 comments
sb10q commented 2020-06-11 16:51:15 +08:00
Owner
Copy Link

WFVM is going to load the nixbld.m-labs.hk Nix store with proprietary crapware from Micro$oft (Win10, Visual Studio), and Hydra distributes it publicly, which goes against the EULAs.

I propose to solve this by adding an attribute on derivations that blocks Hydra downloads.

Ideally, downloads from the M-Labs LAN should still be available, in order to facilitate troubleshooting Windoze-related issues.

WFVM is going to load the nixbld.m-labs.hk Nix store with proprietary crapware from Micro$oft (Win10, Visual Studio), and Hydra distributes it publicly, which goes against the EULAs. I propose to solve this by adding an attribute on derivations that blocks Hydra downloads. Ideally, downloads from the M-Labs LAN should still be available, in order to facilitate troubleshooting Windoze-related issues.
sb10q commented 2020-06-24 22:42:43 +08:00
Author
Owner
Copy Link

https://github.com/NixOS/hydra/issues/143

https://github.com/NixOS/hydra/issues/143
sb10q commented 2020-06-24 23:08:50 +08:00
Author
Owner
Copy Link

Here is an example of the URLs that are fetched from client Nix stores:

Seems to be handled here in Hydra:

Here is an example of the URLs that are fetched from client Nix stores: * https://nixbld.m-labs.hk/nsv6ygbcpm16j9zp6zm62w1z7v0j4p4y.narinfo * https://nixbld.m-labs.hk/nar/nsv6ygbcpm16j9zp6zm62w1z7v0j4p4y-conda-asyncserial Seems to be handled here in Hydra: * https://github.com/NixOS/hydra/blob/master/src/lib/Hydra/View/NARInfo.pm * https://github.com/NixOS/hydra/blob/master/src/lib/Hydra/View/NixNAR.pm
sb10q commented 2020-06-24 23:10:54 +08:00
Author
Owner
Copy Link

Should be a matter of returning 404 Not Found for both hash.narinfo and /nar/hash*

Should be a matter of returning 404 Not Found for both hash.narinfo and /nar/hash*
sb10q commented 2020-06-24 23:17:10 +08:00
Author
Owner
Copy Link

The error handling is done in the callers here:

The error handling is done in the callers here: * https://github.com/NixOS/hydra/blob/0b300e80ad579481fca3663e56356924b8a628e5/src/lib/Hydra/Controller/Root.pm#L350 * https://github.com/NixOS/hydra/blob/0b300e80ad579481fca3663e56356924b8a628e5/src/lib/Hydra/Controller/Root.pm#L309
sb10q commented 2020-06-24 23:18:42 +08:00
Author
Owner
Copy Link

A simple solution could be to add an empty /nix-support/do-not-distribute file into the derivation outputs. Getting the meta info of the package (with the license) seems more difficult.

A simple solution could be to add an empty ``/nix-support/do-not-distribute`` file into the derivation outputs. Getting the meta info of the package (with the license) seems more difficult.
astro commented 2020-06-26 05:53:21 +08:00
Contributor
Copy Link
diff --git src/lib/Hydra/Controller/Root.pm src/lib/Hydra/Controller/Root.pm
index a9b0d558..b77a7fc3 100644
--- a/src/lib/Hydra/Controller/Root.pm
+++ b/src/lib/Hydra/Controller/Root.pm
@@ -319,6 +319,7 @@ sub nar :Local :Args(1) {
         $path = $Nix::Config::storeDir . "/$path";
 
         gone($c, "Path " . $path . " is no longer available.") unless isValidPath($path);
+        notFound($c, "Do not distribute") if -e "$path/nix-support/do-not-distribute";
 
         $c->stash->{current_view} = 'NixNAR';
         $c->stash->{storePath} = $path;
@@ -368,6 +369,7 @@ sub narinfo :LocalRegex('^([a-z0-9]+).narinfo$') :Args(0) {
             setCacheHeaders($c, 60 * 60);
             return;
         }
+        notFound($c, "Do not distribute") if -e "$path/nix-support/do-not-distribute";
 
         $c->stash->{storePath} = $path;
         $c->forward('Hydra::View::NARInfo');

I am about to test this before committing but Hydra doesn't build for me right now, neither on 20.03 nor on master. Ok, hydra-2020-06-23 builds successfully for me...

```diff diff --git src/lib/Hydra/Controller/Root.pm src/lib/Hydra/Controller/Root.pm index a9b0d558..b77a7fc3 100644 --- a/src/lib/Hydra/Controller/Root.pm +++ b/src/lib/Hydra/Controller/Root.pm @@ -319,6 +319,7 @@ sub nar :Local :Args(1) { $path = $Nix::Config::storeDir . "/$path"; gone($c, "Path " . $path . " is no longer available.") unless isValidPath($path); + notFound($c, "Do not distribute") if -e "$path/nix-support/do-not-distribute"; $c->stash->{current_view} = 'NixNAR'; $c->stash->{storePath} = $path; @@ -368,6 +369,7 @@ sub narinfo :LocalRegex('^([a-z0-9]+).narinfo$') :Args(0) { setCacheHeaders($c, 60 * 60); return; } + notFound($c, "Do not distribute") if -e "$path/nix-support/do-not-distribute"; $c->stash->{storePath} = $path; $c->forward('Hydra::View::NARInfo'); ``` I am about to test this before committing ~~but Hydra doesn't build for me right now, neither on 20.03 nor on master~~. Ok, hydra-2020-06-23 builds successfully for me...
sb10q commented 2020-06-26 10:58:42 +08:00
Author
Owner
Copy Link

Nitpick: restrict-distribution seems to be a better name than do-not-distribute.

There has been some mess with Hydra recently, the recommended package is now called hydra-unstable and it builds as of 20.03.2176.a84b797b28e.

Nitpick: ``restrict-distribution`` seems to be a better name than ``do-not-distribute``. There has been some mess with Hydra recently, the recommended package is now called ``hydra-unstable`` and it builds as of 20.03.2176.a84b797b28e.
sb10q commented 2020-06-26 15:22:26 +08:00
Author
Owner
Copy Link

Is the Windows ISO redistributable? What about the VS bootstrap installer?
We may still have a problem with fetchurl, and the fetchurl store paths are clearly visible e.g. https://nixbld.m-labs.hk/build/69946/nixlog/27

Is the Windows ISO redistributable? What about the VS bootstrap installer? We may still have a problem with ``fetchurl``, and the fetchurl store paths are clearly visible e.g. https://nixbld.m-labs.hk/build/69946/nixlog/27
sb10q commented 2020-06-26 19:11:14 +08:00
Author
Owner
Copy Link

A simple hack - that would work also for fetchurl - would be to start the relevant derivation names with "RESTRICTDIST" :)
e.g. /nix/store/pf3jkpq8nxycv4a3i5z4rnbp1wx512bx-RESTRICTDIST-windows10.iso

A simple hack - that would work also for fetchurl - would be to start the relevant derivation names with "RESTRICTDIST" :) e.g. /nix/store/pf3jkpq8nxycv4a3i5z4rnbp1wx512bx-RESTRICTDIST-windows10.iso
astro commented 2020-06-27 02:52:21 +08:00
Contributor
Copy Link

RESTRICTDIST in the name is a good idea as that allows the feature for Nix store entries that are not directories.

fetchurl accepts an additional name attribute which I made use of in #30.

`RESTRICTDIST` in the name is a good idea as that allows the feature for Nix store entries that are not directories. `fetchurl` accepts an additional `name` attribute which I made use of in #30.
sb10q commented 2020-06-27 17:16:01 +08:00
Author
Owner
Copy Link

It works!
https://nixbld.m-labs.hk/nar/xks67i4frg8k7rmlv5298aac0s4n5nih-RESTRICTDIST-release_svc_refresh_CLIENT_LTSC_EVAL_x64FRE_en-us.iso

It works! https://nixbld.m-labs.hk/nar/xks67i4frg8k7rmlv5298aac0s4n5nih-RESTRICTDIST-release_svc_refresh_CLIENT_LTSC_EVAL_x64FRE_en-us.iso
👍 1
sb10q closed this issue 2020-06-27 17:16:04 +08:00
Sign in to join this conversation.
No Branch/Tag Specified
Branches Tags
master
Labels
Clear labels
No items
No Label
Milestone
Clear milestone
No items
No Milestone
Assignees
Clear assignees
No Assignees
2 Participants
Notifications
Due Date
The due date is invalid or out of range. Please use the format 'yyyy-mm-dd'.

No due date set.

Dependencies

No dependencies set.

Reference: M-Labs/nix-scripts#26
No description provided.
Delete Branch "%!s(<nil>)"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?