summary refs log tree commit diff
path: root/pkgs/build-support/fetchgit
diff options
context:
space:
mode:
authorAdam Joseph <adam@westernsemico.com>2022-05-02 02:51:11 -0700
committerAdam Joseph <adam@westernsemico.com>2022-06-11 12:42:33 -0700
commit5ed4944130468764f705fcc600bea923223252ec (patch)
treefa94016861ece69702afef08d506468381a565a5 /pkgs/build-support/fetchgit
parent94c37705ebcfd8a5bc42d64aa28512fdc5b910c4 (diff)
downloadnixpkgs-5ed4944130468764f705fcc600bea923223252ec.tar
nixpkgs-5ed4944130468764f705fcc600bea923223252ec.tar.gz
nixpkgs-5ed4944130468764f705fcc600bea923223252ec.tar.bz2
nixpkgs-5ed4944130468764f705fcc600bea923223252ec.tar.lz
nixpkgs-5ed4944130468764f705fcc600bea923223252ec.tar.xz
nixpkgs-5ed4944130468764f705fcc600bea923223252ec.tar.zst
nixpkgs-5ed4944130468764f705fcc600bea923223252ec.zip
fetchgit: allow passing allowedRequisites through to stdenv.mkDerivation
When maintainers override stages of `fetchgit' (e.g. `postPatch`) it
is very easy for them to accidentally leak the outpath-hash of their
current `stdenv` into `fetchgit''s output, and therefore into the
value they paste into `sha256`.

This is a problem, because the resulting expression will break
whenever any change is made to `stdenv` or when anybody attempts to
build the expression on a different platform than the one used by the
original maintainer.

Almost as much of a problem is the fact that CI **does not catch**
these problems.  The `fetchgit` is run only once, then its output goes
into cachix, and all future builds (hydra, CI, ofborg) pull from
cachix.

Let's offer maintainers the option to check that they aren't making
this mistake, by passing through `allowedRequisites`.  The default
value is `null`, but it might be worth changing that at some point in
the future.

It is also sometimes difficult to communicate to package maintainers
why their expression is problematic.  Having `allowedRequisites`
passed through makes it easier to do this: "look, when I switch on
`allowedRequisites` your package breaks; are you sure you meant to
hardcode the hash today's `x86_64-linux.stdenv` into your expression?`

For an example use case, see https://github.com/NixOS/nixpkgs/pull/171223

The issue above is part of a larger problem with nixpkgs infra: there
large parts of cachix cannot be reproduced easily if they are lost.
Once something ends goes into cachix, we never ever again reverify the
procedure by which it was placed into cachix.
Diffstat (limited to 'pkgs/build-support/fetchgit')
-rw-r--r--pkgs/build-support/fetchgit/default.nix4
1 files changed, 3 insertions, 1 deletions
diff --git a/pkgs/build-support/fetchgit/default.nix b/pkgs/build-support/fetchgit/default.nix
index 2ae1714e4af..84f2278db29 100644
--- a/pkgs/build-support/fetchgit/default.nix
+++ b/pkgs/build-support/fetchgit/default.nix
@@ -28,6 +28,7 @@ in
   # needed for netrcPhase
   netrcImpureEnvVars ? []
 , meta ? {}
+, allowedRequisites ? null
 }:
 
 /* NOTE:
@@ -91,7 +92,8 @@ stdenvNoCC.mkDerivation {
     "GIT_PROXY_COMMAND" "NIX_GIT_SSL_CAINFO" "SOCKS_SERVER"
   ];
 
-  inherit preferLocalBuild meta;
+
+  inherit preferLocalBuild meta allowedRequisites;
 
   passthru = {
     gitRepoUrl = url;
generated by cgit-pink 1.4.1 (git 2.36.1) at 2024-05-16 00:48:58 +0000