-
-
Notifications
You must be signed in to change notification settings - Fork 13.7k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Cargo build without cargoSha256, use Cargo.lock instead #63653
Comments
This comment has been minimized.
This comment has been minimized.
Oh my gosh this would be so handy to have official! |
I marked this as stale due to inactivity. → More info |
This is still important to me! |
I'd love to see this too 👍 |
I would also still really love to see this! |
Note: |
I marked this as stale due to inactivity. → More info |
This is still important to me! |
While a theoretically awesome tool, Nix has demonstrated a pair of extremely deleterious shortcomings that appear to be not considered important by the Nix Community. Specifically: - Nix relies on the manual entry of input hashes for Cargo dependencies. This is extraordinarily cumbersome, and causes build failures on any dependency change. There was a suggestion to get this information automatically, but this has been stalled since 2019 (over 3 years, at the time of this commit): NixOS/nixpkgs#63653 - Nix appears to be unable to handle multiple versions of Rust packages gracefully. The result is unexpected and uncommunicative failures, such as a failure to generate a symlink. This class of failure was first reported in 2017 (over 5 years ago, at the time of this commit): NixOS/nixpkgs#22177 As a result, I do not believe that Nix can offer us a reliable platform for CI of Hubris at this time. As observed on #46, attempting to appease Nix can result in significant crate changes to facilitate single revision jumps - consuming days of effort to validate a change that is essentially operational.
While a theoretically awesome tool, Nix has demonstrated a pair of extremely deleterious shortcomings that appear to be not considered important by the Nix Community. Specifically: - Nix relies on the manual entry of input hashes for Cargo dependencies. This is extraordinarily cumbersome, and causes build failures on any dependency change. There was a suggestion to get this information automatically, but this has been stalled since 2019 (over 3 years, at the time of this commit): NixOS/nixpkgs#63653 - Nix appears to be unable to handle multiple versions of Rust packages gracefully. The result is unexpected and uncommunicative failures, such as a failure to generate a symlink. This class of failure was first reported in 2017 (over 5 years ago, at the time of this commit): NixOS/nixpkgs#22177 As a result, I do not believe that Nix can offer us a reliable platform for CI of Hubris at this time. As observed on #46, attempting to appease Nix can result in significant crate changes to facilitate single revision jumps - consuming days of effort to validate a change that is essentially operational.
fyi: #221716 |
Issue description
I’ve been experimenting with a new build platform that doesn’t require specifying a
cargoSha256
but instead relies on the information contained in theCargo.lock
. There are some open issues, maybe someone here will have good solutions!(note: happy to move this to discourse if needed)
The problems with the current rust platform (in particular with
cargoSha256
) is that it’scargoSha256
. This means tweaking the existing checksum, re-building, copying the new hash, etc. This becomes a huge mess when lots of developers are working on the same cargo project.sha256
) and in some cases the build may succeed nonetheless (think: security patch in a dependency, which doesn’t tinker with the crate’s interface). However a build on a different machine — where the vendored crates haven’t been cached yet — will result in a hash mismatch.How
The idea is to leverage the “recently” added
builtins.fromTOML
to read theCargo.lock
in Nix directly and fetch all crates before the build even begins (I’ve done something similar for npm). The lockfile looks something like this:Quoting naersk (the POC for this new platform):
The corollary is that the lockfile contains all the information Nix needs in order to download dependencies (at least for crates coming from crates.io, see below for git dependencies).
Current status
The POC works surprisingly well. Most libs build out of the box but there are some issues that worry me a bit.
Libs that build
(I basically went through the list of trending rust repos)
Missing
fetchFromGitHub
and friends require asha256
. There are some workarounds:builtins.fetchgit
... which doesn’t require asha256
. The major drawbacks is thatfetchgit
will redownload the repo every hour and doesn’t support submodules. Moreover it’s somewhat ugly.cargoSha256
for git deps ... which is somewhat work ergonomic than having a singlecargoSha256
for all deps, but still not idealnix-build
/derivation — it’s a pain to make sure thatcargo
(in a dev’s terminal) uses the same dependencies. There are some workarounds that can be implemented in a nix-shell (shellHook
setting$CARGO_HOME
with custom config, orshellHook
that symlinks the store paths in $PWD) but it’s still very, very suboptimal.CC @grahamc @basvandijk
The text was updated successfully, but these errors were encountered: