hexa-Feb 15, 2025

If you're using #devenv for your projects, please note that the new `generate` command in 1.4.0 uses your repository content.

It tars up all files it can find through `git ls-files -z`³ and exfiltrates them to the service.

It handles `DO_NOT_TRACK=`¹ by sending that intent along² as a query string, so now you need to trust the service to not keep data.

🧵 1/n

[1] https://github.com/cachix/devenv/blob/6c987a8795eedea872afe4d1c1ac518d0c7f6db1/devenv/src/cli.rs#L202-L204
[2] https://github.com/cachix/devenv/blob/6c987a8795eedea872afe4d1c1ac518d0c7f6db1/devenv/src/devenv.rs#L212-L214
[3] https://github.com/cachix/devenv/blob/6c987a8795eedea872afe4d1c1ac518d0c7f6db1/devenv/src/devenv.rs#L226-L257

devenv/devenv/src/cli.rs at 6c987a8795eedea872afe4d1c1ac518d0c7f6db1 · cachix/devenv

Fast, Declarative, Reproducible, and Composable Developer Environments - cachix/devenv

GitHub
Show threadSteven Reed
@hexa so I guess nixpkgs.config now needs a way to block software from a particular upstream, similar to blocklistedLicenses? :(
Feb 15, 2025 at 5:50pmWeb
Show threadSteven ReedFeb 15, 2025
@hexa
packageOverrides = pkgs: {
devenv = pkgs.emptyDirectory;
};