2021-01-27 06:50:30 +01:00
|
|
|
{lib, stdenvNoCC, git, git-lfs, cacert}: let
|
2015-01-01 14:34:56 +01:00
|
|
|
urlToName = url: rev: let
|
2021-01-27 06:50:30 +01:00
|
|
|
inherit (lib) removeSuffix splitString last;
|
2017-06-18 13:42:39 +02:00
|
|
|
base = last (splitString ":" (baseNameOf (removeSuffix "/" url)));
|
2015-01-01 14:34:56 +01:00
|
|
|
|
2021-02-03 18:35:42 +01:00
|
|
|
matched = builtins.match "(.*)\\.git" base;
|
2015-01-01 14:34:56 +01:00
|
|
|
|
|
|
|
short = builtins.substring 0 7 rev;
|
|
|
|
|
|
|
|
appendShort = if (builtins.match "[a-f0-9]*" rev) != null
|
|
|
|
then "-${short}"
|
|
|
|
else "";
|
|
|
|
in "${if matched == null then base else builtins.head matched}${appendShort}";
|
2015-01-13 19:43:08 +01:00
|
|
|
in
|
2021-11-05 04:03:05 +01:00
|
|
|
{ url, rev ? "HEAD", md5 ? "", sha256 ? "", hash ? "", leaveDotGit ? deepClone
|
2015-03-10 12:40:19 +01:00
|
|
|
, fetchSubmodules ? true, deepClone ? false
|
2015-04-20 14:25:14 +02:00
|
|
|
, branchName ? null
|
2021-08-27 10:25:20 +02:00
|
|
|
, sparseCheckout ? ""
|
2022-08-04 21:26:03 +02:00
|
|
|
, nonConeMode ? false
|
2015-01-01 14:34:56 +01:00
|
|
|
, name ? urlToName url rev
|
2017-06-03 20:45:51 +02:00
|
|
|
, # Shell code executed after the file has been fetched
|
|
|
|
# successfully. This can do things like check or transform the file.
|
|
|
|
postFetch ? ""
|
2018-12-31 08:10:28 +01:00
|
|
|
, preferLocalBuild ? true
|
2020-12-05 08:32:48 +01:00
|
|
|
, fetchLFS ? false
|
2021-09-15 16:17:05 +02:00
|
|
|
, # Shell code to build a netrc file for BASIC auth
|
|
|
|
netrcPhase ? null
|
|
|
|
, # Impure env vars (https://nixos.org/nix/manual/#sec-advanced-attributes)
|
|
|
|
# needed for netrcPhase
|
|
|
|
netrcImpureEnvVars ? []
|
2022-04-18 03:06:02 +02:00
|
|
|
, meta ? {}
|
fetchgit: allow passing allowedRequisites through to stdenv.mkDerivation
When maintainers override stages of `fetchgit' (e.g. `postPatch`) it
is very easy for them to accidentally leak the outpath-hash of their
current `stdenv` into `fetchgit''s output, and therefore into the
value they paste into `sha256`.
This is a problem, because the resulting expression will break
whenever any change is made to `stdenv` or when anybody attempts to
build the expression on a different platform than the one used by the
original maintainer.
Almost as much of a problem is the fact that CI **does not catch**
these problems. The `fetchgit` is run only once, then its output goes
into cachix, and all future builds (hydra, CI, ofborg) pull from
cachix.
Let's offer maintainers the option to check that they aren't making
this mistake, by passing through `allowedRequisites`. The default
value is `null`, but it might be worth changing that at some point in
the future.
It is also sometimes difficult to communicate to package maintainers
why their expression is problematic. Having `allowedRequisites`
passed through makes it easier to do this: "look, when I switch on
`allowedRequisites` your package breaks; are you sure you meant to
hardcode the hash today's `x86_64-linux.stdenv` into your expression?`
For an example use case, see https://github.com/NixOS/nixpkgs/pull/171223
The issue above is part of a larger problem with nixpkgs infra: there
large parts of cachix cannot be reproduced easily if they are lost.
Once something ends goes into cachix, we never ever again reverify the
procedure by which it was placed into cachix.
2022-05-02 11:51:11 +02:00
|
|
|
, allowedRequisites ? null
|
2014-09-03 19:48:15 +02:00
|
|
|
}:
|
2009-06-24 14:48:01 +02:00
|
|
|
|
2009-11-08 04:02:10 +01:00
|
|
|
/* NOTE:
|
|
|
|
fetchgit has one problem: git fetch only works for refs.
|
|
|
|
This is because fetching arbitrary (maybe dangling) commits may be a security risk
|
|
|
|
and checking whether a commit belongs to a ref is expensive. This may
|
|
|
|
change in the future when some caching is added to git (?)
|
|
|
|
Usually refs are either tags (refs/tags/*) or branches (refs/heads/*)
|
|
|
|
Cloning branches will make the hash check fail when there is an update.
|
|
|
|
But not all patches we want can be accessed by tags.
|
|
|
|
|
2016-11-18 11:56:08 +01:00
|
|
|
The workaround is getting the last n commits so that it's likely that they
|
2009-11-08 04:02:10 +01:00
|
|
|
still contain the hash we want.
|
|
|
|
|
|
|
|
for now : increase depth iteratively (TODO)
|
|
|
|
|
|
|
|
real fix: ask git folks to add a
|
|
|
|
git fetch $HASH contained in $BRANCH
|
|
|
|
facility because checking that $HASH is contained in $BRANCH is less
|
|
|
|
expensive than fetching --depth $N.
|
|
|
|
Even if git folks implemented this feature soon it may take years until
|
|
|
|
server admins start using the new version?
|
|
|
|
*/
|
|
|
|
|
2015-03-10 12:40:19 +01:00
|
|
|
assert deepClone -> leaveDotGit;
|
2022-08-04 21:26:03 +02:00
|
|
|
assert nonConeMode -> (sparseCheckout != "");
|
2014-02-18 19:11:57 +01:00
|
|
|
|
2017-03-13 13:31:44 +01:00
|
|
|
if md5 != "" then
|
|
|
|
throw "fetchgit does not support md5 anymore, please use sha256"
|
2021-11-05 04:03:05 +01:00
|
|
|
else if hash != "" && sha256 != "" then
|
|
|
|
throw "Only one of sha256 or hash can be set"
|
2017-03-13 13:31:44 +01:00
|
|
|
else
|
2018-01-10 00:38:19 +01:00
|
|
|
stdenvNoCC.mkDerivation {
|
2014-09-03 19:48:15 +02:00
|
|
|
inherit name;
|
2009-06-24 14:48:01 +02:00
|
|
|
builder = ./builder.sh;
|
2019-09-09 01:38:31 +02:00
|
|
|
fetcher = ./nix-prefetch-git; # This must be a string to ensure it's called with bash.
|
2020-12-05 08:32:48 +01:00
|
|
|
|
|
|
|
nativeBuildInputs = [ git ]
|
2021-01-27 06:50:30 +01:00
|
|
|
++ lib.optionals fetchLFS [ git-lfs ];
|
2009-06-24 14:48:01 +02:00
|
|
|
|
2021-11-05 04:03:05 +01:00
|
|
|
outputHashAlgo = if hash != "" then null else "sha256";
|
2009-06-24 14:48:01 +02:00
|
|
|
outputHashMode = "recursive";
|
2021-11-05 04:03:05 +01:00
|
|
|
outputHash = if hash != "" then
|
|
|
|
hash
|
|
|
|
else if sha256 != "" then
|
|
|
|
sha256
|
|
|
|
else
|
|
|
|
lib.fakeSha256;
|
2009-06-24 14:48:01 +02:00
|
|
|
|
2022-08-04 21:26:03 +02:00
|
|
|
inherit url rev leaveDotGit fetchLFS fetchSubmodules deepClone branchName sparseCheckout nonConeMode postFetch;
|
2009-06-24 14:48:01 +02:00
|
|
|
|
2021-09-15 16:17:05 +02:00
|
|
|
postHook = if netrcPhase == null then null else ''
|
|
|
|
${netrcPhase}
|
|
|
|
# required that git uses the netrc file
|
|
|
|
mv {,.}netrc
|
|
|
|
export HOME=$PWD
|
|
|
|
'';
|
|
|
|
|
2015-06-05 22:00:52 +02:00
|
|
|
GIT_SSL_CAINFO = "${cacert}/etc/ssl/certs/ca-bundle.crt";
|
2011-08-28 18:03:14 +02:00
|
|
|
|
2021-09-15 16:17:05 +02:00
|
|
|
impureEnvVars = lib.fetchers.proxyImpureEnvVars ++ netrcImpureEnvVars ++ [
|
|
|
|
"GIT_PROXY_COMMAND" "NIX_GIT_SSL_CAINFO" "SOCKS_SERVER"
|
2016-09-17 21:50:01 +02:00
|
|
|
];
|
2014-02-10 21:03:17 +01:00
|
|
|
|
fetchgit: allow passing allowedRequisites through to stdenv.mkDerivation
When maintainers override stages of `fetchgit' (e.g. `postPatch`) it
is very easy for them to accidentally leak the outpath-hash of their
current `stdenv` into `fetchgit''s output, and therefore into the
value they paste into `sha256`.
This is a problem, because the resulting expression will break
whenever any change is made to `stdenv` or when anybody attempts to
build the expression on a different platform than the one used by the
original maintainer.
Almost as much of a problem is the fact that CI **does not catch**
these problems. The `fetchgit` is run only once, then its output goes
into cachix, and all future builds (hydra, CI, ofborg) pull from
cachix.
Let's offer maintainers the option to check that they aren't making
this mistake, by passing through `allowedRequisites`. The default
value is `null`, but it might be worth changing that at some point in
the future.
It is also sometimes difficult to communicate to package maintainers
why their expression is problematic. Having `allowedRequisites`
passed through makes it easier to do this: "look, when I switch on
`allowedRequisites` your package breaks; are you sure you meant to
hardcode the hash today's `x86_64-linux.stdenv` into your expression?`
For an example use case, see https://github.com/NixOS/nixpkgs/pull/171223
The issue above is part of a larger problem with nixpkgs infra: there
large parts of cachix cannot be reproduced easily if they are lost.
Once something ends goes into cachix, we never ever again reverify the
procedure by which it was placed into cachix.
2022-05-02 11:51:11 +02:00
|
|
|
|
|
|
|
inherit preferLocalBuild meta allowedRequisites;
|
2022-05-24 18:03:46 +02:00
|
|
|
|
|
|
|
passthru = {
|
|
|
|
gitRepoUrl = url;
|
|
|
|
};
|
2009-06-24 14:48:01 +02:00
|
|
|
}
|