Browse Source

buildRustPackage: add verifyCargoDeps option

One issue with cargoSha256 is that it's hard to detect when it needs to
be updated or not. It's possible to upgrade a package and forget to
update cargoSha256 and run with old versions of the program or
libraries.

This commit introduces `verifyCargoDeps` which, when enabled, will check
that the Cargo.lock is not out of date in the cargoDeps by comparing it
with the package source.
openssl
zimbatm 3 years ago
parent
commit
f8d67ec135
No known key found for this signature in database
GPG Key ID: 71BAF6D40C1D63D7
  1. 4
      doc/languages-frameworks/rust.section.md
  2. 19
      pkgs/build-support/rust/default.nix
  3. 18
      pkgs/build-support/rust/fetchcargo.nix

4
doc/languages-frameworks/rust.section.md

@ -43,6 +43,7 @@ rustPlatform.buildRustPackage rec {
};
cargoSha256 = "0q68qyl2h6i0qsz82z840myxlnjay8p1w5z7hfyr8fqp7wgwa9cx";
verifyCargoDeps = true;
meta = with stdenv.lib; {
description = "A fast line-oriented regex search tool, similar to ag and ack";
@ -64,6 +65,9 @@ When the `Cargo.lock`, provided by upstream, is not in sync with the
added in `cargoPatches` will also be prepended to the patches in `patches` at
build-time.
When `verifyCargoDeps` is set to `true`, the build will also verify that the
`cargoSha256` is not out of date by comparing the `Cargo.lock` file in both the `cargoDeps` and `src`. Note that this option changes the value of `cargoSha256` since it also copies the `Cargo.lock` in it. To avoid breaking backward-compatibility this option is not enabled by default but hopefully will be in the future.
## Compiling Rust crates using Nix instead of Cargo
### Simple operation

19
pkgs/build-support/rust/default.nix

@ -13,6 +13,9 @@
, cargoUpdateHook ? ""
, cargoDepsHook ? ""
, cargoBuildFlags ? []
, # Set to true to verify if the cargo dependencies are up to date.
# This will change the value of cargoSha256.
verifyCargoDeps ? false
, buildType ? "release"
, meta ? {}
@ -26,6 +29,7 @@ let
cargoDeps = if cargoVendorDir == null
then fetchcargo {
inherit name src srcs sourceRoot cargoUpdateHook;
copyLockfile = verifyCargoDeps;
patches = cargoPatches;
sha256 = cargoSha256;
}
@ -95,6 +99,21 @@ stdenv.mkDerivation (args // {
unset cargoDepsCopy
export RUST_LOG=${logLevel}
'' + stdenv.lib.optionalString verifyCargoDeps ''
if ! diff source/Cargo.lock $cargoDeps/Cargo.lock ; then
echo
echo "ERROR: cargoSha256 is out of date."
echo
echo "Cargo.lock is not the same in $cargoDeps."
echo
echo "To fix the issue:"
echo '1. Use "1111111111111111111111111111111111111111111111111111" as the cargoSha256 value'
echo "2. Build the derivation and wait it to fail with a hash mismatch"
echo "3. Copy the 'got: sha256:' value back into the cargoSha256 field"
echo
exit 1
fi
'' + (args.postUnpack or "");
configurePhase = args.configurePhase or ''

18
pkgs/build-support/rust/fetchcargo.nix

@ -17,7 +17,16 @@ let cargo-vendor-normalise = stdenv.mkDerivation {
preferLocalBuild = true;
};
in
{ name ? "cargo-deps", src, srcs, patches, sourceRoot, sha256, cargoUpdateHook ? "" }:
{ name ? "cargo-deps"
, src
, srcs
, patches
, sourceRoot
, sha256
, cargoUpdateHook ? ""
, # whenever to also include the Cargo.lock in the output
copyLockfile ? false
}:
stdenv.mkDerivation {
name = "${name}-vendor";
nativeBuildInputs = [ cacert git cargo-vendor-normalise cargo ];
@ -37,6 +46,9 @@ stdenv.mkDerivation {
exit 1
fi
# Keep the original around for copyLockfile
cp Cargo.lock Cargo.lock.orig
export CARGO_HOME=$(mktemp -d cargo-home.XXX)
CARGO_CONFIG=$(mktemp cargo-config.XXXX)
@ -52,6 +64,10 @@ stdenv.mkDerivation {
if ! cmp $CARGO_CONFIG ${./fetchcargo-default-config.toml} > /dev/null; then
install -D $CARGO_CONFIG $out/.cargo/config;
fi;
'' + stdenv.lib.optionalString copyLockfile ''
# add the Cargo.lock to allow hash invalidation
cp Cargo.lock.orig $out/Cargo.lock
'';
outputHashAlgo = "sha256";

Loading…
Cancel
Save