Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

lib: add randomHash helper #362599

Open
wants to merge 1 commit into
base: master
Choose a base branch
from
+3 −1
Open

lib: add randomHash helper #362599

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
2 changes: 1 addition & 1 deletion lib/default.nix
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -169,7 +169,7 @@ let
mergeAttrsWithFunc mergeAttrsConcatenateValues
mergeAttrsNoOverride mergeAttrByFunc mergeAttrsByFuncDefaults
mergeAttrsByFuncDefaultsClean mergeAttrBy
fakeHash fakeSha256 fakeSha512
fakeHash fakeSha256 fakeSha512 randomHash
nixType imap;
inherit (self.versions)
splitVersion;
Expand Down
2 changes: 2 additions & 0 deletions lib/deprecated/misc.nix
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -329,6 +329,7 @@ let
fakeHash = "sha256-AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=";
fakeSha256 = "0000000000000000000000000000000000000000000000000000000000000000";
fakeSha512 = "00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000";
randomHash = builtins.hashString "sha256" (builtins.readFile /proc/sys/kernel/random/uuid);
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This cannot take effect in flakes I suppose?

Copy link
Contributor Author

@boltzmannrain boltzmannrain Dec 8, 2024
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I guess not, and there's no --argstr to pass it from shell either NixOS/nix#5663

Some alternative approaches could be

  • external script driving multiple builds and substituting fakeHash per invocation & package
  • tweaking Nix to allow FOD without outputHash, it will fail but won't wait on other FODs
  • tweaking Nix to treat lib.fakeHash FOD specially, so not locking
  • replacing FOD outputHash with completely different flow for things that aren't just fetches
    • replace pinning outputHash with trush of substitution / attestation that a given unsafe derivation should produce given output
    • maybe distinguish between output value trust and trust to allow building it without full sandbox
    • that should make maintaining packages simpler, Hydra would sign outputs and signatures aren't persisted in nixpkgs, consumers may decide to trust Hydra or take the risk of building, but package maintainer doesn't need to do anything
  • having pseudo-random hash where sources of entropy could be
    • user-supplied salt
    • system argument (not sure how it works with flakes)
    • package name
    • current Git commit or tree hash (in case of flakes)
  • having multiple fakeHash values
    • weaker version of user salt
    • still locks for different systems unless values are per-system
    • still locks if several builds reuse the value

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

tweaking Nix to treat lib.fakeHash FOD specially, so not locking

Probably the only correct way.


in

Expand All @@ -346,6 +347,7 @@ in
fakeHash
fakeSha256
fakeSha512
randomHash
foldArgs
getValue
ifEnable
Expand Down
Loading