Nicolas Graves <ngra...@ngraves.fr> writes: > Building a package yes, but you can have external commands in a > manifest.scm or guix.scm. > > ... > > What I was saying is that we could restrain recording `guix shell --allow` > only if the manifest builds properly containerized and without network > access (outside package building I mean), and otherwise refuse to allow > (failing manifest, possibly because it tries to access the network or > files outside the repo) with a warning message, providing the ability to > restrain "automatic loading" to certain "safer" conditions only.
I see. I think in the event that the manifest doesn't build in a containerized environment without networking access, providing a warning when using --allow would be quite helpful. It would inform the user of situations where what's happening in the manifest has fewer guarantees. If we were to do the above for --allow, but still allow the user to bypass that via shell-authorized-directories if desired, I believe it would be a good tradeoff: make well-behaved code easier to use, while still allowing for less-well-behaved workflows with some minor inconvenience. I am assuming in the above that this wouldn't interfere with additional channels being used in the repo. > The downside is that we would have to basically run `guix shell > --container` (and build all there is to build) before being able to > run `guix shell --allow`. As long as we properly document this, I think that that's acceptable. -- Suhail
