Use deterministic bootstrapping for nixpkgs (#40)

This commit is contained in:
Remy Goldschmidt 2017-12-28 09:41:39 -06:00 committed by intractable
parent 19125b42be
commit 4ef32ccf42
3 changed files with 62 additions and 26 deletions

51
fetch-nixpkgs.nix Normal file
View file

@ -0,0 +1,51 @@
{ rev # The Git revision of nixpkgs to fetch
, sha256 # The SHA256 of the downloaded data
, system ? builtins.currentSystem # This is overridable if necessary
}:
with {
ifThenElse = { bool, thenValue, elseValue }: (
if bool then thenValue else elseValue);
};
ifThenElse {
bool = (0 <= builtins.compareVersions builtins.nixVersion "1.12");
# In Nix 1.12, we can just give a `sha256` to `builtins.fetchTarball`.
thenValue = (
builtins.fetchTarball {
url = "https://github.com/NixOS/nixpkgs/archive/${rev}.tar.gz";
inherit sha256;
});
# This hack should at least work for Nix 1.11
elseValue = (
(rec {
tarball = import <nix/fetchurl.nix> {
url = "https://github.com/NixOS/nixpkgs/archive/${rev}.tar.gz";
inherit sha256;
};
builtin-paths = import <nix/config.nix>;
script = builtins.toFile "nixpkgs-unpacker" ''
"$coreutils/mkdir" "$out"
cd "$out"
"$gzip" --decompress < "$tarball" | "$tar" -x --strip-components=1
'';
nixpkgs = builtins.derivation {
name = "nixpkgs-${builtins.substring 0 6 rev}";
builder = builtins.storePath builtin-paths.shell;
args = [ script ];
inherit tarball system;
tar = builtins.storePath builtin-paths.tar;
gzip = builtins.storePath builtin-paths.gzip;
coreutils = builtins.storePath builtin-paths.coreutils;
};
}).nixpkgs);
}

View file

@ -1,6 +0,0 @@
{
"url": "https://github.com/NixOS/nixpkgs.git",
"rev": "1849e695b00a54cda86cb75202240d949c10c7ce",
"date": "2017-03-30T18:32:09+02:00",
"sha256": "1fw9ryrz1qzbaxnjqqf91yxk1pb9hgci0z0pzw53f675almmv9q2"
}

View file

@ -1,21 +1,12 @@
let # Given a Git revision hash `<rev>`, you get the new SHA256 by running:
# NOTE: This is the only non-deterministic part of our system since we need a #
# a starting point in order to be able to fetch the pinned `nixpkgs`. From # ```bash
# that point forward our build is deterministic and pinned # $ nix-prefetch-url "https://github.com/NixOS/nixpkgs/archive/<rev>.tar.gz"
# # ```
# We only use this for the `fetchFromGitHub` utility so as long as that #
# remains stable then we shouldn't have migration issues. # The SHA256 will be printed as the last line of stdout.
inherit (import <nixpkgs> { }) fetchFromGitHub;
# In order to update `nixpkgs.json` to a specific revision, run: import ./fetch-nixpkgs.nix {
# rev = "1849e695b00a54cda86cb75202240d949c10c7ce";
# ```bash sha256 = "1riv7n11rqbfdnikr2wm263fcppzh0760kqhwn5gscl89qmliw2y";
# $ nix-prefetch-git https://github.com/NixOS/nixpkgs.git "${REVISION}" > nixpkgs.json }
# ```
nixpkgs = builtins.fromJSON (builtins.readFile ./nixpkgs.json);
in
fetchFromGitHub {
owner = "NixOS";
repo = "nixpkgs";
inherit (nixpkgs) rev sha256;
}