Deprecate restrict-eval

[fricklerhandwerk]

As discussed in the Nix team meeting today: #7871 (comment)

Proposal

Issue a warning when the setting is enabled and direct users to GitHub if they would be impacted by the feature being removed.

[Artturin]

restrict-eval is used by ofborg https://github.com/NixOS/ofborg/blob/de415d372959b7e6fc6b2f6c95f0c21e5010348d/ofborg/src/nix.rs#L353

(also nix >=2.16 breaks the strict_sandboxing test NixOS/ofborg#659 which seems related)

[Ericson2314]

@Artturin Yeah we would do something else for Hydra/Ofborg/Etc.

I suspect it perhaps could just be pure eval, with a few things to make that more versatile.

[puffnfresh]

From my understanding, #9061 made it so that even the most common Nix flakes (e.g. using a github:NixOS/nixpkgs input) will stop working by default under Hydra due to restrict-eval. Users will have to specify allowed-uris Nix configuration before flakes will work.

I feel like it's important for something to be done before a release of current master.

[puffnfresh]

How does this issue and the current thinking relate to #1701? Should we do one instead of the other?

[fricklerhandwerk]

Arguably we can't just remove it, as current thinking seems to have converged on keeping stable interfaces stable. @NixOS/nix-team correct me if I'm wrong.

Until we have a deprecation policy as linked in the linked comment, we won't remove things that are a result of past design decisions. (Bugs in the implementation of design decisions are something else.)

In that case it would make sense to close the issue suggesting to remove restrict-eval.

[AleXoundOS]

If I understand correctly, it forbids access to resources like https:// during Nix code evaluation (unless they're specified in allowed-uris)? Seems to be a useful feature.