diff options
author | zimbatm <zimbatm@zimbatm.com> | 2019-08-24 14:29:47 +0200 |
---|---|---|
committer | zimbatm <zimbatm@zimbatm.com> | 2019-09-30 17:09:52 +0000 |
commit | f8d67ec135de10ac16fcc0c1623c911a4783775f (patch) | |
tree | 180510ea6ee17ce0fe14d10d69569f3ef81d55bc /pkgs/build-support/rust | |
parent | 98ddcfe794b28a1fa89d544f9efa3783b7835a0f (diff) | |
download | nixlib-f8d67ec135de10ac16fcc0c1623c911a4783775f.tar nixlib-f8d67ec135de10ac16fcc0c1623c911a4783775f.tar.gz nixlib-f8d67ec135de10ac16fcc0c1623c911a4783775f.tar.bz2 nixlib-f8d67ec135de10ac16fcc0c1623c911a4783775f.tar.lz nixlib-f8d67ec135de10ac16fcc0c1623c911a4783775f.tar.xz nixlib-f8d67ec135de10ac16fcc0c1623c911a4783775f.tar.zst nixlib-f8d67ec135de10ac16fcc0c1623c911a4783775f.zip |
buildRustPackage: add verifyCargoDeps option
One issue with cargoSha256 is that it's hard to detect when it needs to be updated or not. It's possible to upgrade a package and forget to update cargoSha256 and run with old versions of the program or libraries. This commit introduces `verifyCargoDeps` which, when enabled, will check that the Cargo.lock is not out of date in the cargoDeps by comparing it with the package source.
Diffstat (limited to 'pkgs/build-support/rust')
-rw-r--r-- | pkgs/build-support/rust/default.nix | 19 | ||||
-rw-r--r-- | pkgs/build-support/rust/fetchcargo.nix | 18 |
2 files changed, 36 insertions, 1 deletions
diff --git a/pkgs/build-support/rust/default.nix b/pkgs/build-support/rust/default.nix index 4634d32f6ace..27601e481c68 100644 --- a/pkgs/build-support/rust/default.nix +++ b/pkgs/build-support/rust/default.nix @@ -13,6 +13,9 @@ , cargoUpdateHook ? "" , cargoDepsHook ? "" , cargoBuildFlags ? [] +, # Set to true to verify if the cargo dependencies are up to date. + # This will change the value of cargoSha256. + verifyCargoDeps ? false , buildType ? "release" , meta ? {} @@ -26,6 +29,7 @@ let cargoDeps = if cargoVendorDir == null then fetchcargo { inherit name src srcs sourceRoot cargoUpdateHook; + copyLockfile = verifyCargoDeps; patches = cargoPatches; sha256 = cargoSha256; } @@ -95,6 +99,21 @@ stdenv.mkDerivation (args // { unset cargoDepsCopy export RUST_LOG=${logLevel} + '' + stdenv.lib.optionalString verifyCargoDeps '' + if ! diff source/Cargo.lock $cargoDeps/Cargo.lock ; then + echo + echo "ERROR: cargoSha256 is out of date." + echo + echo "Cargo.lock is not the same in $cargoDeps." + echo + echo "To fix the issue:" + echo '1. Use "1111111111111111111111111111111111111111111111111111" as the cargoSha256 value' + echo "2. Build the derivation and wait it to fail with a hash mismatch" + echo "3. Copy the 'got: sha256:' value back into the cargoSha256 field" + echo + + exit 1 + fi '' + (args.postUnpack or ""); configurePhase = args.configurePhase or '' diff --git a/pkgs/build-support/rust/fetchcargo.nix b/pkgs/build-support/rust/fetchcargo.nix index bc80db0947b0..a515ce9c6eb5 100644 --- a/pkgs/build-support/rust/fetchcargo.nix +++ b/pkgs/build-support/rust/fetchcargo.nix @@ -17,7 +17,16 @@ let cargo-vendor-normalise = stdenv.mkDerivation { preferLocalBuild = true; }; in -{ name ? "cargo-deps", src, srcs, patches, sourceRoot, sha256, cargoUpdateHook ? "" }: +{ name ? "cargo-deps" +, src +, srcs +, patches +, sourceRoot +, sha256 +, cargoUpdateHook ? "" +, # whenever to also include the Cargo.lock in the output + copyLockfile ? false +}: stdenv.mkDerivation { name = "${name}-vendor"; nativeBuildInputs = [ cacert git cargo-vendor-normalise cargo ]; @@ -37,6 +46,9 @@ stdenv.mkDerivation { exit 1 fi + # Keep the original around for copyLockfile + cp Cargo.lock Cargo.lock.orig + export CARGO_HOME=$(mktemp -d cargo-home.XXX) CARGO_CONFIG=$(mktemp cargo-config.XXXX) @@ -52,6 +64,10 @@ stdenv.mkDerivation { if ! cmp $CARGO_CONFIG ${./fetchcargo-default-config.toml} > /dev/null; then install -D $CARGO_CONFIG $out/.cargo/config; fi; + + '' + stdenv.lib.optionalString copyLockfile '' + # add the Cargo.lock to allow hash invalidation + cp Cargo.lock.orig $out/Cargo.lock ''; outputHashAlgo = "sha256"; |