disruptek
commented
4 years ago The problem is that Nimble does not give us much to work with -- normal Nimble installations, which Nimph nominally supports, often don't even have tags or commits for us to inspect.
So, sure, we can do lockfiles using commit hashes trivially, but then Nimble will be a second-class citizen that taints lockfiles, rendering them unreproducible. If you want to submit a PR to that effect, I'm happy to merge it. Maybe a --force option will override the discovery of a Nimble package included in the lockfile?
FWIW, I really don't care what other languages or environments produce, and to me, the idea that a tag's mutability is a liability is arguably ridiculous. If you cannot trust your source to tag itself in a sane manner, maybe you should be pointing at a fork instead. It's quite trivial to do so using Nimph.
FRidh
The lock file currently records only references. References (such as tags) are mutable, and thus the lock file does not achieve reproducibility. Upon locking the reference should be recorded (as it is now) but also the revision the reference was at at that time. Please see also the discussion at https://github.com/NixOS/nix/pull/3216
Also, have a look at the following example lock file of what is recorded https://github.com/NixOS/nix/blob/master/flake.lock.
narHashis essentially the hash over the contents (minus any version control files) and is used by the Nix package manager so it does not need to perform a version control checkout anymore. That I think goes a bit too far for here.@ehmry, as maintainer of https://github.com/nix-community/flake-nimble, do you have any more input regarding the lock format?