f8d67ec135
One issue with cargoSha256 is that it's hard to detect when it needs to be updated or not. It's possible to upgrade a package and forget to update cargoSha256 and run with old versions of the program or libraries. This commit introduces `verifyCargoDeps` which, when enabled, will check that the Cargo.lock is not out of date in the cargoDeps by comparing it with the package source.
79 lines
2.4 KiB
Nix
79 lines
2.4 KiB
Nix
{ stdenv, cacert, git, cargo, python3 }:
|
|
let cargo-vendor-normalise = stdenv.mkDerivation {
|
|
name = "cargo-vendor-normalise";
|
|
src = ./cargo-vendor-normalise.py;
|
|
nativeBuildInputs = [ python3.pkgs.wrapPython ];
|
|
dontUnpack = true;
|
|
installPhase = "install -D $src $out/bin/cargo-vendor-normalise";
|
|
pythonPath = [ python3.pkgs.toml ];
|
|
postFixup = "wrapPythonPrograms";
|
|
doInstallCheck = true;
|
|
installCheckPhase = ''
|
|
# check that ./fetchcargo-default-config.toml is a fix point
|
|
reference=${./fetchcargo-default-config.toml}
|
|
< $reference $out/bin/cargo-vendor-normalise > test;
|
|
cmp test $reference
|
|
'';
|
|
preferLocalBuild = true;
|
|
};
|
|
in
|
|
{ name ? "cargo-deps"
|
|
, src
|
|
, srcs
|
|
, patches
|
|
, sourceRoot
|
|
, sha256
|
|
, cargoUpdateHook ? ""
|
|
, # whenever to also include the Cargo.lock in the output
|
|
copyLockfile ? false
|
|
}:
|
|
stdenv.mkDerivation {
|
|
name = "${name}-vendor";
|
|
nativeBuildInputs = [ cacert git cargo-vendor-normalise cargo ];
|
|
inherit src srcs patches sourceRoot;
|
|
|
|
phases = "unpackPhase patchPhase installPhase";
|
|
|
|
installPhase = ''
|
|
if [[ ! -f Cargo.lock ]]; then
|
|
echo
|
|
echo "ERROR: The Cargo.lock file doesn't exist"
|
|
echo
|
|
echo "Cargo.lock is needed to make sure that cargoSha256 doesn't change"
|
|
echo "when the registry is updated."
|
|
echo
|
|
|
|
exit 1
|
|
fi
|
|
|
|
# Keep the original around for copyLockfile
|
|
cp Cargo.lock Cargo.lock.orig
|
|
|
|
export CARGO_HOME=$(mktemp -d cargo-home.XXX)
|
|
CARGO_CONFIG=$(mktemp cargo-config.XXXX)
|
|
|
|
${cargoUpdateHook}
|
|
|
|
mkdir -p $out
|
|
cargo vendor $out | cargo-vendor-normalise > $CARGO_CONFIG
|
|
# fetchcargo used to never keep the config output by cargo vendor
|
|
# and instead hardcode the config in ./fetchcargo-default-config.toml.
|
|
# This broke on packages needing git dependencies, so now we keep the config.
|
|
# But not to break old cargoSha256, if the previous behavior was enough,
|
|
# we don't store the config.
|
|
if ! cmp $CARGO_CONFIG ${./fetchcargo-default-config.toml} > /dev/null; then
|
|
install -D $CARGO_CONFIG $out/.cargo/config;
|
|
fi;
|
|
|
|
'' + stdenv.lib.optionalString copyLockfile ''
|
|
# add the Cargo.lock to allow hash invalidation
|
|
cp Cargo.lock.orig $out/Cargo.lock
|
|
'';
|
|
|
|
outputHashAlgo = "sha256";
|
|
outputHashMode = "recursive";
|
|
outputHash = sha256;
|
|
|
|
impureEnvVars = stdenv.lib.fetchers.proxyImpureEnvVars;
|
|
preferLocalBuild = true;
|
|
}
|