search

fluidattacks / makes

A software supply chain framework powered by Nix.
https://makes.fluidattacks.tech/
MIT License
439 stars 43 forks source link

Quick review feedback #512

Closed blaggacao closed 3 years ago

blaggacao commented 3 years ago

In order to pay fair tribute to the news of this project I wanted to submit a quick review at work and to the broader community.

Please consider giving feedback on it: https://demo.hedgedoc.org/s/TYPHlGRUw

Thanks! I will update it as I learn.

kamadorueda commented 3 years ago

Thanks for taking the time and give the project a chance, I really appreciate it

We've been using Nix and "Makes" for three years now at Fluid Attacks, it has had many iterations, the entire company now runs on it

A few months ago, we decided to publish Makes to the world, this is what you see here on GitHub, it is still a work in progress so the (public) framework will grow a lot as we finish migrating Fluid Attacks from the internal version of Makes to the Public Makes. We've also polished a lot of edges, gave it a nicer CLI interface, and the NixOS module system

A thin (python) cli-wrapper (./m) is in charge of dependency injection (using nix-build --args...), module evaluation, task inventorization, realization and running.

./m (https://gitlab.com/fluidattacks/product/-/blob/master/m) is the old (internal) version of Makes :)

m (https://github.com/fluidattacks/makes/blob/main/src/cli/main/__main__.py) is the public, elegant version of it (this project)

It prioritizes wrapping native tooling (purely) in proximity of developers home turf over (complicated) 2nix approaches. And: no attitude (against flavors, eg using yaml) besides pro-simplicity

I loved this one :heart:, because yes, this is what we strive for: simplicity

I'm (other project) exploring how to ease even more the landscape: https://github.com/kamadorueda/nixpkgs-python

Maybe we'll merge later

Does not use or leverage the flakes (yet?). This seems to involve trade-offs w.r.t. to eval caching, purity and also lack of compatibility for some of flake’s most prominent interfaces, such as inputs managent or fully encapsulated nixConfig.

True, Flakes has its advantajes.

Anyway, we strive for maximum reproducibility and a proof of it is that ALL makes is --option sandbox true (https://github.com/fluidattacks/makes/blob/939a40963d820ad35a296d00cabe43cdce16eae7/src/cli/main/__main__.py#L140) which is the most strict configuration of Nix possible

We are also architectured around inputs (https://github.com/fluidattacks/makes#inputs) and outputs (https://github.com/fluidattacks/makes#extending-makes), so migrating to Flakes will be very simple once Flakes become the stable Nix

Looking forward for the final article!

We also have a blog: https://fluidattacks.com/blog/

blaggacao commented 3 years ago

Thank you for the additional info. I wonder how to make makes nicely blend into a flake-only environment. Do you have any pointers or could you even draft a minimal PoC?

Specifically, I think inputs and cache options are somewhat competing.

cache, because flakes since recently support nixConfig with any nix config attribute such as extra-subtituters (example). This functionality doesn't yet work on daemon installs, though.

If you can drop me some rough guidance, I might be able to take it from there.

kamadorueda commented 3 years ago

I wonder how to make makes nicely blend into a flake-only environment. Do you have any pointers or could you even draft a minimal PoC?

I have some ideas around this, I'll draft something

blaggacao commented 3 years ago

Nice! I'll commission a cron job to refresh this page every minute, from now on. :smile:

blaggacao commented 3 years ago

I think we can close this. Thx for all the input!