diff options
| author | Benno Fünfstück <benno.fuenfstueck@gmail.com> | 2017-04-21 23:23:38 +0200 |
|---|---|---|
| committer | Benno Fünfstück <benno.fuenfstueck@gmail.com> | 2017-04-21 23:26:46 +0200 |
| commit | bd78749d3387f84d4f70dada335df04479f8170c (patch) | |
| tree | 296a1f13e038a43c716e2a11925bb25ef469d6a0 | |
| parent | 5238b85207aa46f03f33c3a14a1ff7c219320388 (diff) | |
| download | nixlib-bd78749d3387f84d4f70dada335df04479f8170c.tar nixlib-bd78749d3387f84d4f70dada335df04479f8170c.tar.gz nixlib-bd78749d3387f84d4f70dada335df04479f8170c.tar.bz2 nixlib-bd78749d3387f84d4f70dada335df04479f8170c.tar.lz nixlib-bd78749d3387f84d4f70dada335df04479f8170c.tar.xz nixlib-bd78749d3387f84d4f70dada335df04479f8170c.tar.zst nixlib-bd78749d3387f84d4f70dada335df04479f8170c.zip | |
rust: improve fetch-cargo-deps determinism for non-sandboxed builds
When not using sandboxing, /usr/share/git-core/templates may leak into the nix build through the libgit2 hardcoded default template search path. We now explictly set the templatedir to avoid this problem. See https://github.com/bennofs/nix-index/issues/2#issuecomment-296268983 for an example case of nondeterminism.
| -rwxr-xr-x | pkgs/build-support/rust/fetch-cargo-deps | 32 |
1 files changed, 32 insertions, 0 deletions
diff --git a/pkgs/build-support/rust/fetch-cargo-deps b/pkgs/build-support/rust/fetch-cargo-deps index 54593994990f..76661a4f9ecc 100755 --- a/pkgs/build-support/rust/fetch-cargo-deps +++ b/pkgs/build-support/rust/fetch-cargo-deps @@ -1,3 +1,18 @@ +# copied from libgit2 source code 'repo-template.h' +makeGitTemplate() { + local target="$1" + mkdir -p -m777 "$target/info" "$target/pack" "$target/objects" "$target/refs" + mkdir -p -m777 "$target/refs/heads" "$target/refs/tags" "$target/objects/info" "$target/objects/pack" + cat <<'EOF' > "$target/description" +Unnamed repository; edit this file 'description' to name the repository. +EOF + chmod 666 "$target/description" + cat <<'EOF' > "$target/info/exclude" +# File patterns to ignore; see `git help ignore` for more information. +# Lines that start with '#' are comments. +EOF +} + fetchCargoDeps() { src=$(realpath $1) out=$(realpath $2) @@ -6,6 +21,23 @@ fetchCargoDeps() { mkdir $out + # Configure git template dir to make libgit2 more deterministic + # + # Without a template dir, libgit2 defaults to /usr/share/git-core/templates, + # which can vary between systems if sandboxed builds aren't used. + # + # Note: we explictly set --tmpdir for mktemp here to make it more friendly + # for nix-shell users, where $TMPDIR is not necessarily set to NIX_BUILD_TOP + echo "Setting up git templatedir" + export GIT_TEMPLATE_DIR="$(mktemp -d --tmpdir=$NIX_BUILD_TOP git-template.XXX)" + makeGitTemplate "$GIT_TEMPLATE_DIR" + export XDG_CONFIG_HOME="$(mktemp -d --tmpdir=$NIX_BUILD_TOP home.XXX)" + mkdir -p $XDG_CONFIG_HOME/git + cat <<EOF > $XDG_CONFIG_HOME/git/config +[init] + templatedir = $GIT_TEMPLATE_DIR +EOF + # Configure cargo to fetch from a local copy of the crates.io registry echo "Using rust registry from $rustRegistry" |