Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Cargo build without cargoSha256, use Cargo.lock instead #63653

Open
nmattia opened this issue Jun 22, 2019 · 10 comments
Open

Cargo build without cargoSha256, use Cargo.lock instead #63653

nmattia opened this issue Jun 22, 2019 · 10 comments

Comments

@nmattia
Copy link
Contributor

nmattia commented Jun 22, 2019

Issue description

I’ve been experimenting with a new build platform that doesn’t require specifying a cargoSha256 but instead relies on the information contained in the Cargo.lock. There are some open issues, maybe someone here will have good solutions!

(note: happy to move this to discourse if needed)

The problems with the current rust platform (in particular with cargoSha256) is that it’s

  1. unergonomic: every single dependency update requires the developer to update the cargoSha256. This means tweaking the existing checksum, re-building, copying the new hash, etc. This becomes a huge mess when lots of developers are working on the same cargo project.
  2. not repeatable: if a developer forgets to update the hash, nix will use the old dependencies (nix store lookup by sha256) and in some cases the build may succeed nonetheless (think: security patch in a dependency, which doesn’t tinker with the crate’s interface). However a build on a different machine — where the vendored crates haven’t been cached yet — will result in a hash mismatch.

How

The idea is to leverage the “recently” added builtins.fromTOML to read the Cargo.lock in Nix directly and fetch all crates before the build even begins (I’ve done something similar for npm). The lockfile looks something like this:

[[package]]
name = "aho-corasick"
version = "0.6.10"
source = "registry+https://github.com/rust-lang/crates.io-index"
dependencies = [
 "memchr 2.2.0 (registry+https://github.com/rust-lang/crates.io-index)",
]
...

[metadata]
"checksum aho-corasick 0.6.10 (registry+https://github.com/rust-lang/crates.io-index)" = "81ce3d38065e618af2d7b77e10c5ad9a069859b4be3c2250f674af3840d9c8a5"

Quoting naersk (the POC for this new platform):

    # XXX: the actual crate format is not documented but in practice is a
    # gzipped tar; we simply unpack it and introduce a ".cargo-checksum.json"
    # file that cargo itself uses to double check the sha256

The corollary is that the lockfile contains all the information Nix needs in order to download dependencies (at least for crates coming from crates.io, see below for git dependencies).

Current status

The POC works surprisingly well. Most libs build out of the box but there are some issues that worry me a bit.

Libs that build

(I basically went through the list of trending rust repos)

Missing

  • crate-level incrementality: currently all dependencies are built alongside the main crate. This is not too bad (rustc is pretty fast) but it could be improved.
  • cargo doesn’t register checksums for git dependencies: this is a pretty nasty issue, because fetchFromGitHub and friends require a sha256. There are some workarounds:
    • use builtins.fetchgit ... which doesn’t require a sha256. The major drawbacks is that fetchgit will redownload the repo every hour and doesn’t support submodules. Moreover it’s somewhat ugly.
    • use cargoSha256 for git deps ... which is somewhat work ergonomic than having a single cargoSha256 for all deps, but still not ideal
    • track git dependencies outside of cargo ... e.g. “vendor” the dependencies through nix. The major drawback is that — while it’s fairly easy to do source replacement in a nix-build/derivation — it’s a pain to make sure that cargo (in a dev’s terminal) uses the same dependencies. There are some workarounds that can be implemented in a nix-shell (shellHook setting $CARGO_HOME with custom config, or shellHook that symlinks the store paths in $PWD) but it’s still very, very suboptimal.

CC @grahamc @basvandijk
@nmattia nmattia mentioned this issue Jun 24, 2019
Closed
@stale

This comment has been minimized.

Sign in to view
@stale stale bot added the 2.status: stale https://github.com/NixOS/nixpkgs/blob/master/.github/STALE-BOT.md label Jun 2, 2020
@Hoverbear
Copy link
Member

Oh my gosh this would be so handy to have official!

@stale stale bot removed the 2.status: stale https://github.com/NixOS/nixpkgs/blob/master/.github/STALE-BOT.md label Jun 20, 2020
@stale
Copy link

stale bot commented Dec 17, 2020

I marked this as stale due to inactivity. → More info

@stale stale bot added the 2.status: stale https://github.com/NixOS/nixpkgs/blob/master/.github/STALE-BOT.md label Dec 17, 2020
@Hoverbear
Copy link
Member

This is still important to me!

@stale stale bot removed the 2.status: stale https://github.com/NixOS/nixpkgs/blob/master/.github/STALE-BOT.md label Dec 18, 2020
@Licenser
Copy link

Licenser commented Feb 5, 2021

I'd love to see this too 👍

@maddiemort
Copy link

I would also still really love to see this!

@nmattia
Copy link
Contributor Author

nmattia commented Jul 14, 2021

Note: naersk was just moved to https://github.com/nix-community/naersk, so I guess we're one step closer!

@stale
Copy link

stale bot commented May 2, 2022

I marked this as stale due to inactivity. → More info

@stale stale bot added the 2.status: stale https://github.com/NixOS/nixpkgs/blob/master/.github/STALE-BOT.md label May 2, 2022
@Hoverbear
Copy link
Member

This is still important to me!

@stale stale bot removed the 2.status: stale https://github.com/NixOS/nixpkgs/blob/master/.github/STALE-BOT.md label May 2, 2022
@stale stale bot added the 2.status: stale https://github.com/NixOS/nixpkgs/blob/master/.github/STALE-BOT.md label Oct 30, 2022
ghost pushed a commit to rivosinc/hubris that referenced this issue Nov 3, 2022
ci: Remove Nix Flake Checks
5b52007 
While a theoretically awesome tool, Nix has demonstrated a pair of
extremely deleterious shortcomings that appear to be not considered
important by the Nix Community.

Specifically:
- Nix relies on the manual entry of input hashes for Cargo
  dependencies. This is extraordinarily cumbersome, and causes
  build failures on any dependency change. There was a suggestion
  to get this information automatically, but this has been stalled
  since 2019 (over 3 years, at the time of this commit):
  NixOS/nixpkgs#63653

- Nix appears to be unable to handle multiple versions of Rust
  packages gracefully. The result is unexpected and uncommunicative
  failures, such as a failure to generate a symlink. This class of
  failure was first reported in 2017 (over 5 years ago, at the time
  of this commit):
  NixOS/nixpkgs#22177

As a result, I do not believe that Nix can offer us a reliable
platform for CI of Hubris at this time. As observed on #46,
attempting to appease Nix can result in significant crate changes
to facilitate single revision jumps - consuming days of effort to
validate a change that is essentially operational.
@ghost ghost mentioned this issue Nov 3, 2022
Merged
ghost pushed a commit to rivosinc/hubris that referenced this issue Nov 4, 2022
ci: Remove Nix Flake Checks
a6b1229 
While a theoretically awesome tool, Nix has demonstrated a pair of
extremely deleterious shortcomings that appear to be not considered
important by the Nix Community.

Specifically:
- Nix relies on the manual entry of input hashes for Cargo
  dependencies. This is extraordinarily cumbersome, and causes
  build failures on any dependency change. There was a suggestion
  to get this information automatically, but this has been stalled
  since 2019 (over 3 years, at the time of this commit):
  NixOS/nixpkgs#63653

- Nix appears to be unable to handle multiple versions of Rust
  packages gracefully. The result is unexpected and uncommunicative
  failures, such as a failure to generate a symlink. This class of
  failure was first reported in 2017 (over 5 years ago, at the time
  of this commit):
  NixOS/nixpkgs#22177

As a result, I do not believe that Nix can offer us a reliable
platform for CI of Hubris at this time. As observed on #46,
attempting to appease Nix can result in significant crate changes
to facilitate single revision jumps - consuming days of effort to
validate a change that is essentially operational.
@Stunkymonkey
Copy link
Contributor

fyi: #221716

@stale stale bot removed the 2.status: stale https://github.com/NixOS/nixpkgs/blob/master/.github/STALE-BOT.md label May 4, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
5 participants
@Licenser @Hoverbear @Stunkymonkey @nmattia @maddiemort