Merge pull request #103118 from danieldk/build-rust-package-sri

This commit is contained in:
Jörg Thalheim 2020-12-31 11:02:28 +00:00 committed by GitHub
commit 675d754dc2
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
4 changed files with 49 additions and 16 deletions

View file

@ -27,16 +27,16 @@ Rust applications are packaged by using the `buildRustPackage` helper from `rust
```
rustPlatform.buildRustPackage rec {
pname = "ripgrep";
version = "11.0.2";
version = "12.1.1";
src = fetchFromGitHub {
owner = "BurntSushi";
repo = pname;
rev = version;
sha256 = "1iga3320mgi7m853la55xip514a3chqsdi1a1rwv25lr9b1p7vd3";
sha256 = "1hqps7l5qrjh9f914r5i6kmcz6f1yb951nv4lby0cjnp5l253kps";
};
cargoSha256 = "17ldqr3asrdcsh4l29m3b5r37r5d0b3npq1lrgjmxb6vlx6a36qh";
cargoSha256 = "03wf9r2csi6jpa7v5sw5lpxkrk4wfzwmzx7k3991q3bdjzcwnnwp";
meta = with stdenv.lib; {
description = "A fast line-oriented regex search tool, similar to ag and ack";
@ -47,10 +47,31 @@ rustPlatform.buildRustPackage rec {
}
```
`buildRustPackage` requires a `cargoSha256` attribute which is computed over
all crate sources of this package. Currently it is obtained by inserting a
fake checksum into the expression and building the package once. The correct
checksum can then be taken from the failed build.
`buildRustPackage` requires either the `cargoSha256` or the
`cargoHash` attribute which is computed over all crate sources of this
package. `cargoHash256` is used for traditional Nix SHA-256 hashes,
such as the one in the example above. `cargoHash` should instead be
used for [SRI](https://www.w3.org/TR/SRI/) hashes. For example:
```
cargoHash = "sha256-l1vL2ZdtDRxSGvP0X/l3nMw8+6WF67KPutJEzUROjg8=";
```
Both types of hashes are permitted when contributing to nixpkgs. The
Cargo hash is obtained by inserting a fake checksum into the
expression and building the package once. The correct checksum can
then be taken from the failed build. A fake hash can be used for
`cargoSha256` as follows:
```
cargoSha256 = stdenv.lib.fakeSha256;
```
For `cargoHash` you can use:
```
cargoHash = stdenv.lib.fakeHash;
```
Per the instructions in the [Cargo Book](https://doc.rust-lang.org/cargo/guide/cargo-toml-vs-cargo-lock.html)
best practices guide, Rust applications should always commit the `Cargo.lock`

View file

@ -15,7 +15,13 @@
}:
{ name ? "${args.pname}-${args.version}"
, cargoSha256 ? "unset"
# SRI hash
, cargoHash ? ""
# Legacy hash
, cargoSha256 ? ""
, src ? null
, srcs ? null
, unpackPhase ? null
@ -46,7 +52,7 @@
, buildAndTestSubdir ? null
, ... } @ args:
assert cargoVendorDir == null -> cargoSha256 != "unset";
assert cargoVendorDir == null -> !(cargoSha256 == "" && cargoHash == "");
assert buildType == "release" || buildType == "debug";
let
@ -54,6 +60,7 @@ let
cargoDeps = if cargoVendorDir == null
then fetchCargoTarball ({
inherit name src srcs sourceRoot unpackPhase cargoUpdateHook;
hash = cargoHash;
patches = cargoPatches;
sha256 = cargoSha256;
} // depsExtraArgs)
@ -61,7 +68,7 @@ let
# If we have a cargoSha256 fixed-output derivation, validate it at build time
# against the src fixed-output derivation to check consistency.
validateCargoDeps = cargoSha256 != "unset";
validateCargoDeps = !(cargoHash == "" && cargoSha256 == "");
# Some cargo builds include build hooks that modify their own vendor
# dependencies. This copies the vendor directory into the build tree and makes

View file

@ -22,11 +22,17 @@ in
, srcs ? []
, patches ? []
, sourceRoot
, sha256
, hash ? ""
, sha256 ? ""
, cargoUpdateHook ? ""
, ...
} @ args:
stdenv.mkDerivation ({
let hash_ =
if hash != "" then { outputHashAlgo = null; outputHash = hash; }
else if sha256 != "" then { outputHashAlgo = "sha256"; outputHash = sha256; }
else throw "fetchCargoTarball requires a hash for ${name}";
in stdenv.mkDerivation ({
name = "${name}-vendor.tar.gz";
nativeBuildInputs = [ cacert git cargo-vendor-normalise cargo ];
@ -40,7 +46,7 @@ stdenv.mkDerivation ({
echo
echo "ERROR: The Cargo.lock file doesn't exist"
echo
echo "Cargo.lock is needed to make sure that cargoSha256 doesn't change"
echo "Cargo.lock is needed to make sure that cargoHash/cargoSha256 doesn't change"
echo "when the registry is updated."
echo
@ -72,8 +78,7 @@ stdenv.mkDerivation ({
-czf $out $name
'';
outputHashAlgo = "sha256";
outputHash = sha256;
inherit (hash_) outputHashAlgo outputHash;
impureEnvVars = stdenv.lib.fetchers.proxyImpureEnvVars;
} // (builtins.removeAttrs args [

View file

@ -18,7 +18,7 @@ rustPlatform.buildRustPackage rec {
sha256 = "04nidx43w4nnccgbrw30wg9ai8p7hbklxpn1gc6gr2325yhqvwhl";
};
cargoSha256 = "1bzq0dsdnmxniwnb6989wlhih28c4lyd11sci821whs11lhlfpz0";
cargoHash = "sha256-4F9HIQ1BQx4EikyH0DwlDAkYIeUJJbMsj7ZX23QD+K8=";
nativeBuildInputs = [
makeWrapper