Commit graph

9 commits

Author SHA1 Message Date
Damien Diederen
3363377530 vmTools.debClosureGenerator: Fix non-determinism in dependency graph
By default, Perl versions since 5.8.1 use randomization to make hashes
resistant to complexity attacks.

That randomization makes building VM images such as ubuntu1804x86_64
non-deterministic because the (imported) derivations built by
deb/deb-closure.pl are not stable.

This can easily be observed by repeating the following sequence of
commands and noting the path of the image's .drv:

    nix-instantiate -E '(import <nixpkgs> {}).vmTools.diskImageFuns.ubuntu1804x86_64 {}'
    nix-store --delete /nix/store/*ubuntu-18.04-bionic-amd64.nix

One source of non-determinism is the handling of Provides/Replaces,
which depends on the order of iteration over %packages.  Here is a
diff showing the corresponding change in output:

     >>> awk
    -virtual awk: using original-awk
    -    original-awk: libc6 (>= 2.14)
    +virtual awk: using mawk
    +    mawk: libc6 (>= 2.14)

    -    mawk: libc6 (>= 2.14)
    ->>> libc6

This patch sorts packages by name for Provides/Replaces processing,
which seems to result in stable output.

(If the above turns out not to be sufficient, one could also set the
PERL_HASH_SEED and PERL_PERTURB_KEYS environment variables, documented
in 'perlrun', to disable Perl's built-in randomization.  Complexity
attacks are not an issue as we control and trust all inputs.)
2020-12-30 11:37:37 +01:00
Eelco Dolstra
e7480d9cb7 Add Debian 7.0 2013-05-07 11:19:46 +02:00
Eelco Dolstra
b29d424115 Get deb-closure.pl to work with the latest dpkg 2012-12-04 19:56:31 +01:00
Eelco Dolstra
20de8c8086 Make the "universe" repository available to the Ubuntu image generator
Also fix Ubuntu 12.04 name from "oneiric" to "precise".
2012-08-27 13:53:07 -04:00
Eelco Dolstra
bacc6ab790 Remove trailing whitespace 2012-08-27 13:53:07 -04:00
Eelco Dolstra
a3d259adf0 * Remove `~' from Debian package filenames (they're not allowed in the
Nix store at top-level for portability reasons).  (NIX-106)

svn path=/nixpkgs/trunk/; revision=12133
2008-06-17 07:53:09 +00:00
Eelco Dolstra
d000918941 * Moved the Debian and RPM closure generators to vm/default.nix.
* In addition to the `diskImages' set, there now is a `diskImageFuns'
  set that holds functions to build a disk image for a specific
  distribution, given a list of names of top-level packages that
  should be included in the image.  This makes it easier to customise
  an image (e.g. if you want to build an RPM in an image with some
  very specific dependencies that aren't in the default image).

* Added Fedora 6.

svn path=/nixpkgs/trunk/; revision=11513
2008-04-09 12:02:15 +00:00
Eelco Dolstra
17bc8a1b90 * Use the `import <derivation>' feature to generate and import the Nix
expression for a Debian closure automatically (so that we don't have
  to remember to regenerate those files ourselves).  The `import
  <derivation>' feature generally shouldn't be used in Nixpkgs, but
  since it's only used in the buildfarm it should be fine.

svn path=/nixpkgs/trunk/; revision=11512
2008-04-09 11:19:17 +00:00
Eelco Dolstra
bf5db34927 * Move to Nixpkgs: support for building in VMs is more generally
useful, probably.

svn path=/nixpkgs/trunk/; revision=11126
2008-03-14 13:51:01 +00:00