>> which means you cannot do that method on environments you don't have full control.
> Could you give an example of where that would ever be an issue? The only thing I can think of is hydra.nixos.org, but there's no way in hell such a derivation would be acceptable for nixpkgs, so that's pretty irrelevant (similar to how it's really easy to make a .deb package from a directory and a control file; but there's no way in hell it complies with the Debian project's packaging guidelines)
In any production environment, using any external build service like nixbuild.net, self-host hydra. Basically anything beyond personal use.
The post about all this is from Channable, Channable runs nix built code in production. Their developers (likely) cannot disable the sandbox and ship that code.
You even say that there is "no way in hell such a derivation would be acceptable for nixpkgs"
If you cannot share it, it's only good for you and you alone.
Lol. If someone doesn't want to be executing random unverified binaries fetched from arbitrary online locations, then they shouldn't write such things in their build scripts.
That has nothing to do with Nix. The same goes for Makefile, or whatever.
> Could you give an example of where that would ever be an issue? The only thing I can think of is hydra.nixos.org, but there's no way in hell such a derivation would be acceptable for nixpkgs, so that's pretty irrelevant (similar to how it's really easy to make a .deb package from a directory and a control file; but there's no way in hell it complies with the Debian project's packaging guidelines)
In any production environment, using any external build service like nixbuild.net, self-host hydra. Basically anything beyond personal use.
The post about all this is from Channable, Channable runs nix built code in production. Their developers (likely) cannot disable the sandbox and ship that code.
You even say that there is "no way in hell such a derivation would be acceptable for nixpkgs"
If you cannot share it, it's only good for you and you alone.