Support restricted mode: Allow tarball access with search paths.

[pinch] / pinch.py

diff --git a/pinch.py b/pinch.py
index 130f69a8daeb86fc6521de878da3014075f8b16d..2ba47b22db129d06fe4d88851f5d19346cbc7d11 100644 (file)
--- a/pinch.py
+++ b/pinch.py
@@ -644,6 +644,7 @@ def pinCommand(args: argparse.Namespace) -> None:
 def updateCommand(args: argparse.Namespace) -> None:
     v = Verification()
     exprs: Dict[str, str] = {}
+    search_paths: List[str] = []
     config = {
         section: read_pinned_config_section(section, conf) for section,
         conf in read_config_files(
@@ -651,10 +652,12 @@ def updateCommand(args: argparse.Namespace) -> None:
     alias, nonalias = partition_dict(
         lambda k, v: isinstance(v[0], AliasSearchPath), config)
 
-    for section, (sp, pin) in nonalias.items():
+    for section, (sp, pin) in sorted(nonalias.items()):
         assert not isinstance(sp, AliasSearchPath)  # mypy can't see through
         assert not isinstance(pin, AliasPin)        # partition_dict()
         tarball = sp.fetch(v, pin)
+        search_paths.extend(["-I", "pinch_tarball_for_%s=%s" %
+                            (pin.release_name, tarball)])
         exprs[section] = (
             'f: f { name = "%s"; channelName = "%%s"; src = builtins.storePath "%s"; }' %
             (pin.release_name, tarball))
@@ -671,7 +674,8 @@ def updateCommand(args: argparse.Namespace) -> None:
         '--file',
         '<nix/unpack-channel.nix>',
         '--install',
-        '--from-expression'] + [exprs[name] % name for name in sorted(exprs.keys())]
+    ] + search_paths + ['--from-expression'] + [
+        exprs[name] % name for name in sorted(exprs.keys())]
     if args.dry_run:
         print(' '.join(map(shlex.quote, command)))
     else: