nix-daemon: default useSandbox to true

2017-02-13 18:06:01 -05:00 · 2017-02-13 18:06:01 -05:00 · d0a086770a
commit d0a086770a
parent fc45440b8f
2 changed files with 8 additions and 4 deletions
--- a/nixos/doc/manual/release-notes/rl-1703.xml
+++ b/nixos/doc/manual/release-notes/rl-1703.xml
@ -25,6 +25,10 @@ has the following highlights: </para>
  <listitem>
    <para>PHP now defaults to PHP 7.1</para>
  </listitem>
+
+  <listitem>
+    <para>nix-daemon now uses sandboxing by default.</para>
+  </listitem>
 </itemizedlist>

 <para>The following new services were added since the last release:</para>
--- a/nixos/modules/services/misc/nix-daemon.nix
+++ b/nixos/modules/services/misc/nix-daemon.nix
@ -100,14 +100,14 @@ in

      useSandbox = mkOption {
        type = types.either types.bool (types.enum ["relaxed"]);
-        default = false;
+        default = true;
        description = "
          If set, Nix will perform builds in a sandboxed environment that it
          will set up automatically for each build.  This prevents
          impurities in builds by disallowing access to dependencies
-          outside of the Nix store. This isn't enabled by default for
-          performance. It doesn't affect derivation hashes, so changing
-          this option will not trigger a rebuild of packages.
+          outside of the Nix store. It doesn't affect derivation
+          hashes, so changing this option will not trigger a rebuild
+          of packages.
        ";
      };