Builtin fetchurl ignores netrc-file

[aakropotkin]

I know this isn't officially supported so feel free to close it. I'm reporting this for the awareness of contributors.

The internal built-in derivation builder for fetchurl does not adhere to the users' config for netrc-file.

A suitable workaround is to use the default of /etc/nix/netrc or ~/.config/nix/netrc.

This occurs in Nix 2.8-10 on Linux and Darwin.

Again, I don't think anyone should fix this without a compelling reason. Just wanted to let you know.

[SuperSandro2000]

netrc support is part of the nixpkgs fetchurl function https://github.com/NixOS/nixpkgs/blob/master/pkgs/build-support/fetchurl/default.nix#L170-L173 , so it is no surprise that the builtin fetchurl does not support it which makes this a feature request, not a bug.

[aakropotkin]

Okay feel free to relabel it.

Thanks for letting me know about the Nixpkgs usage; that actually helps me quite a bit. It's interesting that that's a config flag for Nix when Nixpkgs is the actual consumer, Nixpkgs' config seems more intuitive; but I'm sure there's a history ( security? ) or roadmap that explains why it's handled by Nix.

[nrdxp]

I'm really confused about the behavior of Nix and the netrc file in general. Especially in comparison to the newer acess-tokens setting. I have two machines, one my local dev machine, and one a remote CI runner that I can ssh to and run tests on manually if/when needed. I have a package that has a few private dependencies in github package repositories which are fetched with builtins.fetchurl. On my local machine, setting an entry in the netrc to machine maven.pkg.github.com got the derivation to fetch those deps and finish the build successfully.

However, on the CI macine, with the same Nix version, and the same exact netrc, I keep getting 401s, and I am entirely at a loss as to why. Both machines also have access-tokens set identically as well, but on my local the derivation continued to fail to build until I added an entry to the netrc.

[newAM]

Various fetchers use different auth mechanisms, in general I found that you have to set all of these to make everything work.

• set acess-tokens in the system (/etc/nix/nix.conf)*
• set a netrc file for the system
• set access-tokens for the user (~/.config/nix/nix.conf)*
• set a netrc file for the user (~/.netrc)

I should trace through the code again and do a writeup on which fetchers use which auth for the wiki. IIRC generally flake inputs use access-tokens and everything else uses netrc (if it can use netrc)

* paths may be inaccurate, writing from memory

[nrdxp]

I should trace through the code again and do a writeup on which fetchers use which auth for the wiki. IIRC generally flake inputs use access-tokens and everything else uses netrc (if it can use netrc)

You should probably put it directly into the documentation in this repo, rather than the wiki, imo

That said, it still doesn't explain my current "works on my machine" predicament