Skip to content

HttpBinaryCacheStore: Don't ignore 401/407 errors#15877

Merged
xokdvium merged 1 commit into
masterfrom
401-errors
May 21, 2026
Merged

HttpBinaryCacheStore: Don't ignore 401/407 errors#15877
xokdvium merged 1 commit into
masterfrom
401-errors

Conversation

@edolstra

@edolstra edolstra commented May 18, 2026

Copy link
Copy Markdown
Member

Motivation

The only reason it treats 403 errors as 404s is that S3 returns 403 for files that don't exist if the bucket is unlistable. But we don't want to ignore (and definitely shouldn't cache) 401/407 errors as "file not found".

This fixes "token expired" errors from cache.flakehub.com being silently ignored and cached. Now you get:

# nix build --dry-run /nix/store/qnfhg5anpfpr4il3jlp9bnkf6vhyzbnj-determinate-nix-3.20.0
error: unable to download 'https://cache.flakehub.com/qnfhg5anpfpr4il3jlp9bnkf6vhyzbnj.narinfo': HTTP error 401

       response body:
         {"code":401,"error":"Unauthorized","message":"Unauthorized.","request_id":"019e3a82-2474-7f80-8564-6e1bc2234654"}
don't know how to build these paths:
      /nix/store/qnfhg5anpfpr4il3jlp9bnkf6vhyzbnj-determinate-nix-3.20.0

i.e. it's a fatal error now unless you use --fallback.

Note: this can "break" systems that have expired/unauthenticated binary caches, but that is the intended behaviour without --fallback (we don't want fallback to building from source by default).

Context

Add 👍 to pull requests you find important.

The Nix maintainer team uses a GitHub project board to schedule and track reviews.

@edolstra
HttpBinaryCacheStore: Don't ignore 401/407 errors
4bd0000 
The only reason it treats 403 errors as 404s is that S3 returns 403
for files that don't exist if the bucket is unlistable. But we don't
want to ignore (and definitely shouldn't cache) 401/407 errors as
"file not found".

This fixes "token expired" errors from cache.flakehub.com being
silently ignored and cached. Now you get:

  # nix build --dry-run /nix/store/qnfhg5anpfpr4il3jlp9bnkf6vhyzbnj-determinate-nix-3.20.0
  error: unable to download 'https://cache.flakehub.com/qnfhg5anpfpr4il3jlp9bnkf6vhyzbnj.narinfo': HTTP error 401

         response body:

         {"code":401,"error":"Unauthorized","message":"Unauthorized.","request_id":"019e3a82-2474-7f80-8564-6e1bc2234654"}
  don't know how to build these paths:
    /nix/store/qnfhg5anpfpr4il3jlp9bnkf6vhyzbnj-determinate-nix-3.20.0

i.e. it's a fatal error now unless you use `--fallback`.
@edolstra edolstra requested a review from Ericson2314 as a code owner May 18, 2026 16:52
@xokdvium xokdvium added this pull request to the merge queue May 21, 2026
Merged via the queue into master with commit 2bcde72 May 21, 2026
20 checks passed
@xokdvium xokdvium deleted the 401-errors branch May 21, 2026 21:36
kolmodin pushed a commit to kolmodin/nix that referenced this pull request May 30, 2026
@xokdvium @kolmodin
Merge pull request NixOS#15877 from NixOS/401-errors
efb1686 
HttpBinaryCacheStore: Don't ignore 401/407 errors
@xokdvium xokdvium mentioned this pull request Jun 24, 2026
Draft
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@xokdvium xokdvium xokdvium approved these changes
@Ericson2314 Ericson2314 Awaiting requested review from Ericson2314 Ericson2314 is a code owner

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@edolstra @xokdvium