tailscale: init at 0.97-0 [backport 19.09] #82831
Conversation
Since Go 1.13, `GOSUMDB` defaults to "sum.golang.org", to consult the checksum database of the main module's go.sum. We already use the default behavior when building `go-modules`, but Go tries to consult the checksum database again when building the module, and fails because since it requires `cacert` and `git` which are not propagated when building the package. (cherry picked from commit c5733e7)
Signed-off-by: Martin Baillie <martin@baillie.email> (cherry picked from commit 6e055c9)
Fixes a severe bug with subnet routing. Signed-off-by: David Anderson <dave@natulte.net> (cherry picked from commit f61f686)
|
Ouch, mass rebuild. That's because of c5733e7 , triggering the rebuild of anything that's go+modules. It should be a no-op for anything on Go 1.12 (except hash mutations, of course), but that's a much bigger change than I bargained for when I sent this PR. tailscale can't work without that backport, so I think that makes me lean towards rejecting this PR, and just waiting for tailscale in 20.03. That's a big rebuild for 19.09 late in its life. But you're welcome to talk me out of it ;) |
There was a problem hiding this comment.
This looks reasonable. The rebuild is unfortunate, but seems harmless as GOSUMDB doesn't exist in Go 1.12[1].
References
|
Same comment as in #82827 (review) (I think you can even squash the version update commit), then LGTM |
|
Done. |
The tag points to the same commit hash, so the binary is unchanged. Signed-off-by: David Anderson <dave@natulte.net> (cherry picked from commit 3fa813e)
Tailscale does not support Go 1.12. Signed-off-by: David Anderson <dave@natulte.net>
danderson
force-pushed
the
tailscale-19.09
branch
from
348e373
to
609a3da
Compare
|
Updated to use mostly cherrypicks from master. The one change that's not a cherrypick is specific to 19.09: 609a3da makes the derivation use Go 1.13 explicitly, as it's required by tailscale and not the default on 19.09. The cherry-pick of 0e1cf19 still causes a rebuild of all Go code. The rebuild is a no-op because Go 1.12 doesn't know about the sumdb environment variable that got added, but that change alters hashes and so, yay rebuild. |
|
@GrahamcOfBorg build antibody |
|
testing it's no op change there. |
|
Minor diff in the antibody binary: Looks pretty minor, but can't identify the diff more precisely without further disasm. |
|
Readelf says all the changed bytes are in the .note.go.buildid ELF section, which is Go's own deterministic build ID that hashes its inputs. I suspect it's taking in the env as a hash input, which would explain why it changed and nothing else - but digging further. Either way, the actual code+data of the binary is unchanged. |
|
@danderson I was wondering this exactly if that somehow will change build reproducibility if we changed the configure environment. And when you mentioned something about hashes changing I naively thought "well hopefully not modSha256", but reading the code changes I believe that sort of change would not be possible. |
|
I'm looking through the code of Go 1.12 that generates the build ID. It cares about a lot of factors, but afaict the environment variables is not one of them... Clearly one of the inputs to the Go build ID is changing, but I can't figure out which one. I've sent a distress call on twitter (https://twitter.com/dave_universetf/status/1242222407810572288) because I have no idea where to go from here to identify the cause. Will keep looking. On the bright side though: this change is a no-op in practice, there is no change in the generated machine code. I still want to get a definitive answer on why the build ID changed though. |
|
Oh actually, does buildGoModule use a deterministic rootdir path when building? The build path is hashed into the build ID, so if the derivation hash changes (which it did, because buildGoModule's derivation hash changed, because of the env var change), then it would hash in a different build path into the build ID. That would explain the "build ID only" diff: produced exactly the same code, but built from a different path? @worldofpeace I'm too new to Nix to be sure of my reasoning here. Does this seem plausible, or would you expect buildGoModule to eradicate that harmless non-determinism? (harmless because it only happens if the derivation hash changes, but the produced binaries are identical) |
@kalbasit Authored buildGoModule, so he would know. This is the buildPhase |
|
I do think that could be a plausible thing. |
|
I just dived into the Go compiler to try and figure out what goes into build ID, and failed. There's um, a lot of code that goes into computing build ID, and it's intertwined with the build caching logic. I'm going to need an adult in the Go world to help me further (fortunately I might have access to one...). |
|
Are you afraid that some packages might break because of the binary metadata change? Sounds like a reasonably small chance to me. Can code actually use / branch on that metadata? |
I personally don't see a problem here, I thought this was just a curiosity investigation. This will all rebuild anyways because the deriver was changed. |
|
Technically, Go code can read the build ID, and could branch on it. I can't think of any reasonable justification for doing that though. This is mostly a curiosity investigation, yes. Unfortunately it's stalled because all my Go team experts are overloaded due to *waves generally at everything*, so I'm not going to pursue this further right now. I've made a note in my nix contrib todo that I want to investigate making But if you're okay with the rebuild resulting in different build IDs being burned into the binaries, I'm good with merging this as-is. |
Motivation for this change
Tailscale is a new package+nixos module, merged recently in master. I would like to backport it to 19.09, selfishly so that I can install Tailscale on my NixOS servers.
It's not clear if this is okay or not. I backported the pppd module I created into 19.09 late last year, and back then the reasoning was: it's a "leaf" config, so it only risks breaking something if you explicitly decide to enable it. Therefore the risk was low to other 19.09 users.
I think the same reasoning applies here: the tailscale package is a "leaf" package that creates binaries (not libs), and the nixos module does nothing unless you explicitly opt-in. So, this should be completely safe to backport.
The only policy I could find was in the NixOS manual, where it says RMs decide what bugs & features should be backported. So, @disassembler and @lheckemann, I think this is your decision.
There are 4 commits in this PR: 3 cherrypicks, and 1 19.09-only change.
buildGo113Module(otherwise it can't build anything)buildGo113Moduleinstead ofbuildGoModule, because 19.09 defaults to Go 1.12 and Tailscale requires >=1.13.Of note: even though
buildGo113Moduleexists in 19.09, this would be the 1st and only package that uses it in 19.09 (that's why it was broken without anyone noticing).So, um, there. That's all the information on this change. Hopefully that helps you decide if this is acceptable to backport or not. I would like to document some general guidelines for this for future maintainers (because nobody was sure if this is okay or not), so I anxiously await your feedback :)
Things done
sandboxinnix.confon non-NixOS linux)nix-shell -p nixpkgs-review --run "nixpkgs-review wip"./result/bin/)nix path-info -Sbefore and after)