Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

fetchgit: inherit allowedRequisites in mkDerivation #177326

Merged
merged 1 commit into from Jun 22, 2022
Merged

fetchgit: inherit allowedRequisites in mkDerivation #177326

merged 1 commit into from Jun 22, 2022

Commits on Jun 11, 2022

  1. fetchgit: allow passing allowedRequisites through to stdenv.mkDerivation

    When maintainers override stages of `fetchgit' (e.g. `postPatch`) it
    is very easy for them to accidentally leak the outpath-hash of their
    current `stdenv` into `fetchgit''s output, and therefore into the
    value they paste into `sha256`.
    
    This is a problem, because the resulting expression will break
    whenever any change is made to `stdenv` or when anybody attempts to
    build the expression on a different platform than the one used by the
    original maintainer.
    
    Almost as much of a problem is the fact that CI **does not catch**
    these problems.  The `fetchgit` is run only once, then its output goes
    into cachix, and all future builds (hydra, CI, ofborg) pull from
    cachix.
    
    Let's offer maintainers the option to check that they aren't making
    this mistake, by passing through `allowedRequisites`.  The default
    value is `null`, but it might be worth changing that at some point in
    the future.
    
    It is also sometimes difficult to communicate to package maintainers
    why their expression is problematic.  Having `allowedRequisites`
    passed through makes it easier to do this: "look, when I switch on
    `allowedRequisites` your package breaks; are you sure you meant to
    hardcode the hash today's `x86_64-linux.stdenv` into your expression?`
    
    For an example use case, see #171223
    
    The issue above is part of a larger problem with nixpkgs infra: there
    large parts of cachix cannot be reproduced easily if they are lost.
    Once something ends goes into cachix, we never ever again reverify the
    procedure by which it was placed into cachix.
    Adam Joseph committed Jun 11, 2022
    Configuration menu
    Copy the full SHA
    5ed4944 View commit details
    Browse the repository at this point in the history