Use deterministic bootstrapping for nixpkgs (#40)

2024-06-01 18:43:37 +02:00 · 2017-12-28 09:41:39 -06:00 · 2017-12-28 09:41:39 -06:00 · 4ef32ccf42
commit 4ef32ccf42
parent 19125b42be
3 changed files with 62 additions and 26 deletions
--- a/fetch-nixpkgs.nix
+++ b/fetch-nixpkgs.nix
@ -0,0 +1,51 @@
+{ rev                             # The Git revision of nixpkgs to fetch
+, sha256                          # The SHA256 of the downloaded data
+, system ? builtins.currentSystem # This is overridable if necessary
+}:
+
+with {
+  ifThenElse = { bool, thenValue, elseValue }: (
+    if bool then thenValue else elseValue);
+};
+
+ifThenElse {
+  bool = (0 <= builtins.compareVersions builtins.nixVersion "1.12");
+
+  # In Nix 1.12, we can just give a `sha256` to `builtins.fetchTarball`.
+  thenValue = (
+    builtins.fetchTarball {
+      url = "https://github.com/NixOS/nixpkgs/archive/${rev}.tar.gz";
+      inherit sha256;
+    });
+
+  # This hack should at least work for Nix 1.11
+  elseValue = (
+    (rec {
+      tarball = import <nix/fetchurl.nix> {
+        url = "https://github.com/NixOS/nixpkgs/archive/${rev}.tar.gz";
+        inherit sha256;
+      };
+
+      builtin-paths = import <nix/config.nix>;
+      
+      script = builtins.toFile "nixpkgs-unpacker" ''
+        "$coreutils/mkdir" "$out"
+        cd "$out"
+        "$gzip" --decompress < "$tarball" | "$tar" -x --strip-components=1
+      '';
+
+      nixpkgs = builtins.derivation {
+        name = "nixpkgs-${builtins.substring 0 6 rev}";
+
+        builder = builtins.storePath builtin-paths.shell;
+
+        args = [ script ];
+
+        inherit tarball system;
+
+        tar       = builtins.storePath builtin-paths.tar;
+        gzip      = builtins.storePath builtin-paths.gzip;
+        coreutils = builtins.storePath builtin-paths.coreutils;
+      };
+    }).nixpkgs);
+}
--- a/nixpkgs.json
+++ b/nixpkgs.json
@ -1,6 +0,0 @@
-{
-  "url": "https://github.com/NixOS/nixpkgs.git",
-  "rev": "1849e695b00a54cda86cb75202240d949c10c7ce",
-  "date": "2017-03-30T18:32:09+02:00",
-  "sha256": "1fw9ryrz1qzbaxnjqqf91yxk1pb9hgci0z0pzw53f675almmv9q2"
-}
--- a/nixpkgs.nix
+++ b/nixpkgs.nix
@ -1,21 +1,12 @@
-let
-  # NOTE: This is the only non-deterministic part of our system since we need a
-  # a starting point in order to be able to fetch the pinned `nixpkgs`.  From
-  # that point forward our build is deterministic and pinned
-  #
-  # We only use this for the `fetchFromGitHub` utility so as long as that
-  # remains stable then we shouldn't have migration issues.
-  inherit (import <nixpkgs> { }) fetchFromGitHub;
+# Given a Git revision hash `<rev>`, you get the new SHA256 by running:
+#
+# ```bash
+# $ nix-prefetch-url "https://github.com/NixOS/nixpkgs/archive/<rev>.tar.gz"
+# ```
+#
+# The SHA256 will be printed as the last line of stdout.

-  # In order to update `nixpkgs.json` to a specific revision, run:
-  #
-  # ```bash
-  # $ nix-prefetch-git https://github.com/NixOS/nixpkgs.git "${REVISION}" > nixpkgs.json
-  # ```
-  nixpkgs = builtins.fromJSON (builtins.readFile ./nixpkgs.json);
-in
-  fetchFromGitHub {
-    owner = "NixOS";
-    repo  = "nixpkgs";
-    inherit (nixpkgs) rev sha256;
-  }
+import ./fetch-nixpkgs.nix {
+  rev    = "1849e695b00a54cda86cb75202240d949c10c7ce";
+  sha256 = "1riv7n11rqbfdnikr2wm263fcppzh0760kqhwn5gscl89qmliw2y";
+}