From f8d67ec135de10ac16fcc0c1623c911a4783775f Mon Sep 17 00:00:00 2001 From: zimbatm Date: Sat, 24 Aug 2019 14:29:47 +0200 Subject: [PATCH] buildRustPackage: add verifyCargoDeps option One issue with cargoSha256 is that it's hard to detect when it needs to be updated or not. It's possible to upgrade a package and forget to update cargoSha256 and run with old versions of the program or libraries. This commit introduces `verifyCargoDeps` which, when enabled, will check that the Cargo.lock is not out of date in the cargoDeps by comparing it with the package source. --- doc/languages-frameworks/rust.section.md | 4 ++++ pkgs/build-support/rust/default.nix | 19 +++++++++++++++++++ pkgs/build-support/rust/fetchcargo.nix | 18 +++++++++++++++++- 3 files changed, 40 insertions(+), 1 deletion(-) diff --git a/doc/languages-frameworks/rust.section.md b/doc/languages-frameworks/rust.section.md index 2d9338f2e89..83b7b159bd6 100644 --- a/doc/languages-frameworks/rust.section.md +++ b/doc/languages-frameworks/rust.section.md @@ -43,6 +43,7 @@ rustPlatform.buildRustPackage rec { }; cargoSha256 = "0q68qyl2h6i0qsz82z840myxlnjay8p1w5z7hfyr8fqp7wgwa9cx"; + verifyCargoDeps = true; meta = with stdenv.lib; { description = "A fast line-oriented regex search tool, similar to ag and ack"; @@ -64,6 +65,9 @@ When the `Cargo.lock`, provided by upstream, is not in sync with the added in `cargoPatches` will also be prepended to the patches in `patches` at build-time. +When `verifyCargoDeps` is set to `true`, the build will also verify that the +`cargoSha256` is not out of date by comparing the `Cargo.lock` file in both the `cargoDeps` and `src`. Note that this option changes the value of `cargoSha256` since it also copies the `Cargo.lock` in it. To avoid breaking backward-compatibility this option is not enabled by default but hopefully will be in the future. + ## Compiling Rust crates using Nix instead of Cargo ### Simple operation diff --git a/pkgs/build-support/rust/default.nix b/pkgs/build-support/rust/default.nix index 4634d32f6ac..27601e481c6 100644 --- a/pkgs/build-support/rust/default.nix +++ b/pkgs/build-support/rust/default.nix @@ -13,6 +13,9 @@ , cargoUpdateHook ? "" , cargoDepsHook ? "" , cargoBuildFlags ? [] +, # Set to true to verify if the cargo dependencies are up to date. + # This will change the value of cargoSha256. + verifyCargoDeps ? false , buildType ? "release" , meta ? {} @@ -26,6 +29,7 @@ let cargoDeps = if cargoVendorDir == null then fetchcargo { inherit name src srcs sourceRoot cargoUpdateHook; + copyLockfile = verifyCargoDeps; patches = cargoPatches; sha256 = cargoSha256; } @@ -95,6 +99,21 @@ stdenv.mkDerivation (args // { unset cargoDepsCopy export RUST_LOG=${logLevel} + '' + stdenv.lib.optionalString verifyCargoDeps '' + if ! diff source/Cargo.lock $cargoDeps/Cargo.lock ; then + echo + echo "ERROR: cargoSha256 is out of date." + echo + echo "Cargo.lock is not the same in $cargoDeps." + echo + echo "To fix the issue:" + echo '1. Use "1111111111111111111111111111111111111111111111111111" as the cargoSha256 value' + echo "2. Build the derivation and wait it to fail with a hash mismatch" + echo "3. Copy the 'got: sha256:' value back into the cargoSha256 field" + echo + + exit 1 + fi '' + (args.postUnpack or ""); configurePhase = args.configurePhase or '' diff --git a/pkgs/build-support/rust/fetchcargo.nix b/pkgs/build-support/rust/fetchcargo.nix index bc80db0947b..a515ce9c6eb 100644 --- a/pkgs/build-support/rust/fetchcargo.nix +++ b/pkgs/build-support/rust/fetchcargo.nix @@ -17,7 +17,16 @@ let cargo-vendor-normalise = stdenv.mkDerivation { preferLocalBuild = true; }; in -{ name ? "cargo-deps", src, srcs, patches, sourceRoot, sha256, cargoUpdateHook ? "" }: +{ name ? "cargo-deps" +, src +, srcs +, patches +, sourceRoot +, sha256 +, cargoUpdateHook ? "" +, # whenever to also include the Cargo.lock in the output + copyLockfile ? false +}: stdenv.mkDerivation { name = "${name}-vendor"; nativeBuildInputs = [ cacert git cargo-vendor-normalise cargo ]; @@ -37,6 +46,9 @@ stdenv.mkDerivation { exit 1 fi + # Keep the original around for copyLockfile + cp Cargo.lock Cargo.lock.orig + export CARGO_HOME=$(mktemp -d cargo-home.XXX) CARGO_CONFIG=$(mktemp cargo-config.XXXX) @@ -52,6 +64,10 @@ stdenv.mkDerivation { if ! cmp $CARGO_CONFIG ${./fetchcargo-default-config.toml} > /dev/null; then install -D $CARGO_CONFIG $out/.cargo/config; fi; + + '' + stdenv.lib.optionalString copyLockfile '' + # add the Cargo.lock to allow hash invalidation + cp Cargo.lock.orig $out/Cargo.lock ''; outputHashAlgo = "sha256";