search

tweag / opam-nix

Turn opam-based OCaml projects into Nix derivations
MIT License
109 stars 32 forks source link

`getUrl` doesn't provide a hash, so `--impure` is required to build. #35

Closed RyanGibb closed 1 year ago

RyanGibb commented 1 year ago

getUrl doesn't provide a hash attribute, so when it's result is used in the builder we get the error in pure evaluation mode, 'fetchTarball' requires a 'sha256' argument.

A workaround is to build with --impure. However, this negates a big advantage of flakes, especially if this requires a downstream user with a project built using opam-nix as a flake input to rebuild their NixOS config with --impure.

Materialization can be used to get all the dependencies of a project statically, instead of resolving them with opam at every build. Do you think it would be possibly to statically get hashes of these dependencies at this point and commit them to the json file produced my materialization?

RyanGibb commented 1 year ago

After closer inspection, I realise that the hashes are already extracted from the opam package definition, and that this is orthogonal to materialization.

After some tracing it looks like this error is the result of https://github.com/ocaml/opam-repository/blob/aa363b34739a7323c3b593e7ab850bc31fbfd202/packages/ocaml-variants/ocaml-variants.5.0.1+trunk/opam not having a checksum, as well as some packages (e.g. https://github.com/ocaml/opam-repository/blob/aa363b34739a7323c3b593e7ab850bc31fbfd202/packages/bigstringaf/bigstringaf.0.9.0/opam) not having a sha256 hash.

RyanGibb commented 1 year ago

After some investigation it seems fetchTarball fetchurl only support sha256 hashes https://github.com/NixOS/nix/blob/601849b95afc3d173ea34ff5dba6353f9b71b495/src/libexpr/primops/fetchTree.cc#L232

This is despite the Nixpkgs manual stating [0]:

The hash is typically sha256, although many more hash algorithms are supported.

[0] https://nixos.org/manual/nixpkgs/stable/#fetchurl

balsoft commented 1 year ago

fetchurl and fetchTarball are different things, fetchurl is a FOD (and can accept many hash formats, incl. md5, sha256, sha512), while fetchTarball is eval-time

balsoft commented 1 year ago

I don't think it's a good idea to record hashes during materialization when they're not in the original opam files. They could correspond to an "unstable" URL (think https://github.com/foo/bar/archive/master.tar.gz), and so telling Nix that the result is supposed to have a stable checksum is wrong and will lead to problems.

Also, if you're experiencing this problem with the trunk version (which is an unstable URL), there's a simpler fix: just require ocaml-base-compiler = "*" in your query, to force opam to choose a stable OCaml version.

RyanGibb commented 1 year ago

Thanks for the response, @balsoft.

if you're experiencing this problem with the trunk version (which is an unstable URL), there's a simpler fix: just require ocaml-base-compiler = "*" in your query, to force opam to choose a stable OCaml version.

Unfortunately this still seems to give an error:

nix build ...
error: in pure evaluation mode, 'fetchTarball' requires a 'sha256' argument

       … while evaluating the attribute 'src'

       at /nix/store/xjmchy23lg6wrlqbm32apzi9zrddf6k0-source/src/evaluator/default.nix:444:17:

          443|         pkgdef.src or pkgs.pkgsBuildBuild.emptyDirectory;
          444|     in { inherit archive src; };
             |                 ^
          445|

       … while evaluating the attribute 'src' of the derivation 'ocaml-variants-5.0.1+trunk'

Edit: nevermind! This was due to a transitive dependency. This works now. Thanks :)