rust: improve fetch-cargo-deps determinism for non-sandboxed builds

When not using sandboxing, /usr/share/git-core/templates may leak into the nix build through the libgit2 hardcoded default template search path. We now explictly set the templatedir to avoid this problem. See nix-community/nix-index#2 (comment) for an example case of nondeterminism.
NixOS · Apr 21, 2017 · bd78749 · bd78749
1 parent 5238b85
commit bd78749
Showing 1 changed file with 32 additions and 0 deletions.
diff --git a/pkgs/build-support/rust/fetch-cargo-deps b/pkgs/build-support/rust/fetch-cargo-deps
@@ -1,3 +1,18 @@
+# copied from libgit2 source code 'repo-template.h'
+makeGitTemplate() {
+    local target="$1"
+    mkdir -p -m777 "$target/info" "$target/pack" "$target/objects" "$target/refs"
+    mkdir -p -m777 "$target/refs/heads" "$target/refs/tags" "$target/objects/info" "$target/objects/pack"
+    cat <<'EOF' > "$target/description"
+Unnamed repository; edit this file 'description' to name the repository.
+EOF
+    chmod 666 "$target/description"
+    cat <<'EOF' > "$target/info/exclude"
+# File patterns to ignore; see `git help ignore` for more information.
+# Lines that start with '#' are comments.
+EOF
+}
+
 fetchCargoDeps() {
     src=$(realpath $1)
     out=$(realpath $2)
@@ -6,6 +21,23 @@ fetchCargoDeps() {
 
     mkdir $out
 
+    # Configure git template dir to make libgit2 more deterministic
+    #
+    # Without a template dir, libgit2 defaults to /usr/share/git-core/templates,
+    # which can vary between systems if sandboxed builds aren't used.
+    #
+    # Note: we explictly set --tmpdir for mktemp here to make it more friendly
+    # for nix-shell users, where $TMPDIR is not necessarily set to NIX_BUILD_TOP
+    echo "Setting up git templatedir"
+    export GIT_TEMPLATE_DIR="$(mktemp -d --tmpdir=$NIX_BUILD_TOP git-template.XXX)"
+    makeGitTemplate "$GIT_TEMPLATE_DIR"
+    export XDG_CONFIG_HOME="$(mktemp -d --tmpdir=$NIX_BUILD_TOP home.XXX)"
+    mkdir -p $XDG_CONFIG_HOME/git
+    cat <<EOF > $XDG_CONFIG_HOME/git/config
+[init]
+  templatedir = $GIT_TEMPLATE_DIR
+EOF
+
     # Configure cargo to fetch from a local copy of the crates.io registry
 
     echo "Using rust registry from $rustRegistry"