Use deterministic bootstrapping for nixpkgs (#40)

2024-11-23 11:39:43 +01:00 · 2017-12-28 09:41:39 -06:00 · 2017-12-28 09:41:39 -06:00 · 4ef32ccf42
commit 4ef32ccf42
parent 19125b42be
3 changed files with 62 additions and 26 deletions
--- a/fetch-nixpkgs.nix
+++ b/fetch-nixpkgs.nix
@ -0,0 +1,51 @@
 { rev                             # The Git revision of nixpkgs to fetch
 , sha256                          # The SHA256 of the downloaded data
 , system ? builtins.currentSystem # This is overridable if necessary
 }:
 with {
  ifThenElse = { bool, thenValue, elseValue }: (
    if bool then thenValue else elseValue);
 };
 ifThenElse {
  bool = (0 <= builtins.compareVersions builtins.nixVersion "1.12");
  # In Nix 1.12, we can just give a `sha256` to `builtins.fetchTarball`.
  thenValue = (
    builtins.fetchTarball {
      url = "https://github.com/NixOS/nixpkgs/archive/${rev}.tar.gz";
      inherit sha256;
    });
  # This hack should at least work for Nix 1.11
  elseValue = (
    (rec {
      tarball = import <nix/fetchurl.nix> {
        url = "https://github.com/NixOS/nixpkgs/archive/${rev}.tar.gz";
        inherit sha256;
      };
      builtin-paths = import <nix/config.nix>;
      script = builtins.toFile "nixpkgs-unpacker" ''
        "$coreutils/mkdir" "$out"
        cd "$out"
        "$gzip" --decompress < "$tarball" | "$tar" -x --strip-components=1
      '';
      nixpkgs = builtins.derivation {
        name = "nixpkgs-${builtins.substring 0 6 rev}";
        builder = builtins.storePath builtin-paths.shell;
        args = [ script ];
        inherit tarball system;
        tar       = builtins.storePath builtin-paths.tar;
        gzip      = builtins.storePath builtin-paths.gzip;
        coreutils = builtins.storePath builtin-paths.coreutils;
      };
    }).nixpkgs);
 }
--- a/nixpkgs.json
+++ b/nixpkgs.json
@ -1,6 +0,0 @@
 {
  "url": "https://github.com/NixOS/nixpkgs.git",
  "rev": "1849e695b00a54cda86cb75202240d949c10c7ce",
  "date": "2017-03-30T18:32:09+02:00",
  "sha256": "1fw9ryrz1qzbaxnjqqf91yxk1pb9hgci0z0pzw53f675almmv9q2"
 }
--- a/nixpkgs.nix
+++ b/nixpkgs.nix
@ -1,21 +1,12 @@
-let
+# Given a Git revision hash `<rev>`, you get the new SHA256 by running:
-  # NOTE: This is the only non-deterministic part of our system since we need a
+#
-  # a starting point in order to be able to fetch the pinned `nixpkgs`.  From
+# ```bash
-  # that point forward our build is deterministic and pinned
+# $ nix-prefetch-url "https://github.com/NixOS/nixpkgs/archive/<rev>.tar.gz"
-  #
+# ```
-  # We only use this for the `fetchFromGitHub` utility so as long as that
+#
-  # remains stable then we shouldn't have migration issues.
+# The SHA256 will be printed as the last line of stdout.
  inherit (import <nixpkgs> { }) fetchFromGitHub;
-  # In order to update `nixpkgs.json` to a specific revision, run:
+import ./fetch-nixpkgs.nix {
-  #
+  rev    = "1849e695b00a54cda86cb75202240d949c10c7ce";
-  # ```bash
+  sha256 = "1riv7n11rqbfdnikr2wm263fcppzh0760kqhwn5gscl89qmliw2y";
-  # $ nix-prefetch-git https://github.com/NixOS/nixpkgs.git "${REVISION}" > nixpkgs.json
+}
  # ```
  nixpkgs = builtins.fromJSON (builtins.readFile ./nixpkgs.json);
 in
  fetchFromGitHub {
    owner = "NixOS";
    repo  = "nixpkgs";
    inherit (nixpkgs) rev sha256;
  }