bug#73166: shell-autorized-directories

[Suhail Singh]

Nicolas Graves <ngraves@ngraves.fr> writes:

> Building a package yes, but you can have external commands in a
> manifest.scm or guix.scm.
>
> ...
>
> What I was saying is that we could restrain recording `guix shell --allow`
> only if the manifest builds properly containerized and without network
> access (outside package building I mean), and otherwise refuse to allow
> (failing manifest, possibly because it tries to access the network or
> files outside the repo) with a warning message, providing the ability to
> restrain "automatic loading" to certain "safer" conditions only.

I see.  I think in the event that the manifest doesn't build in a
containerized environment without networking access, providing a warning
when using --allow would be quite helpful.  It would inform the user of
situations where what's happening in the manifest has fewer guarantees.

If we were to do the above for --allow, but still allow the user to
bypass that via shell-authorized-directories if desired, I believe it
would be a good tradeoff: make well-behaved code easier to use, while
still allowing for less-well-behaved workflows with some minor
inconvenience.

I am assuming in the above that this wouldn't interfere with additional
channels being used in the repo.

> The downside is that we would have to basically run `guix shell
> --container` (and build all there is to build) before being able to
> run `guix shell --allow`.

As long as we properly document this, I think that that's acceptable.

-- 
Suhail