New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
buildRustPackage: add cargoHash
for SRI hashes of vendored deps
#103118
Conversation
, cargoHash ? "" | ||
|
||
# Legacy hash | ||
, cargoSha256 ? "" |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Is this just a simple migration to a new var name / style without any real functional difference? Would be worth updating the section of the manual with this.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I know that SRI hashes are already used in nixpkgs
but I am not sure if we endorse them yet. I am also not sure whether with stable Nix will actually generate them for you.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Seems to work:
❯ nix --version
nix (Nix) 2.3.8
❯ nix-build -A broot
these derivations will be built:
/nix/store/w86388xb4h1250wzyyzli61ji7gh6y8x-broot-1.0.4-vendor.tar.gz.drv
/nix/store/zswggbvzvi858czcqr7cvblzk84zk58k-broot-1.0.4.drv
building '/nix/store/w86388xb4h1250wzyyzli61ji7gh6y8x-broot-1.0.4-vendor.tar.gz.drv'...
error: --- Error --- nix-daemon
hash mismatch in fixed-output derivation '/nix/store/w86388xb4h1250wzyyzli61ji7gh6y8x-broot-1.0.4-vendor.tar.gz.drv':
specified: sha256-AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=
got: sha256-ikx2jlSg+kzhZce3C2+7sKgMokJ24dmHpw8d+eSIe7E=
error: error: --- Error --- nix-daemon
1 dependencies of derivation '/nix/store/zswggbvzvi858czcqr7cvblzk84zk58k-broot-1.0.4.drv' failed to build
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@bhipple any objections against merging this? The hash
attribute of fetchurl
is not documented yet either, but this change makes things consistent with fetchurl
. (It's kinda weird to place SRI hashes in cargoSha256
as well ;) .)
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Need documentation update.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I know that SRI hashes are already used in
nixpkgs
but I am not sure if we endorse them yet. I am also not sure whether with stable Nix will actually generate them for you.
It won't generate it but you can convert it and it will understand it.
I propose that we just add @andir any opinion on this? |
The commit message is mixing buildRustCrate and buildRustPackage. I am not sure what the relation is. I usually do only care about buildRustCrate as I am not really happy with our FOD abuse. |
5d7733a
to
dcbe434
Compare
dcbe434
to
7b5f63f
Compare
Whoops, fixed! |
7b5f63f
to
c279584
Compare
patches = cargoPatches; | ||
sha256 = cargoSha256; | ||
} // depsExtraArgs) | ||
else null; | ||
|
||
# If we have a cargoSha256 fixed-output derivation, validate it at build time | ||
# against the src fixed-output derivation to check consistency. | ||
validateCargoDeps = cargoSha256 != "unset"; | ||
validateCargoDeps = !(cargoHash == "" && cargoSha256 == ""); |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Is there any problem with keeping the value unset here for both?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I guess not, but I wanted to use the same conventions as fetchurl
in fetchCargoTarball
.
, cargoSha256 ? "unset" | ||
|
||
# SRI hash | ||
, cargoHash ? "" |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This flag needs to be documented in doc/languages-frameworks/rust.section.md
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I added a commit to add documentation for cargoHash
.
f31cdbf
to
82d5857
Compare
`buildRustPackage` currently accepts `cargoSha256` as a hash for vendored dependencies. This change adds `cargoHash` which accepts SRI hashes, setting `outputHashAlgo` to `null`. The hash mismatch message still uses `cargoSha256` as an example, which it probably should until we completely switch to SRI hashes.
82d5857
to
b6728fa
Compare
@Mic92 does this look good to you with the added documentation? |
Thanks! |
Motivation for this change
buildRustCrate currently accepts
cargoSha256
as a hash for vendoreddependencies. This change adds
cargoHash
which accepts SRI hashes,setting
outputHashAlgo
tonull
.The hash mismatch message still uses
cargoSha256
as an example,which it probably should until we completely switch to SRI hashes.
This PR also changes the broot derivation to use
cargoHash
as anexample.
Things done
sandbox
innix.conf
on non-NixOS linux)nix-shell -p nixpkgs-review --run "nixpkgs-review wip"
./result/bin/
)nix path-info -S
before and after)