nixpkgs-suyu/pkgs/build-support/rust/fetchcargo.nix
zimbatm f8d67ec135
buildRustPackage: add verifyCargoDeps option
One issue with cargoSha256 is that it's hard to detect when it needs to
be updated or not. It's possible to upgrade a package and forget to
update cargoSha256 and run with old versions of the program or
libraries.

This commit introduces `verifyCargoDeps` which, when enabled, will check
that the Cargo.lock is not out of date in the cargoDeps by comparing it
with the package source.
2019-09-30 17:09:52 +00:00

79 lines
2.4 KiB
Nix

{ stdenv, cacert, git, cargo, python3 }:
let cargo-vendor-normalise = stdenv.mkDerivation {
name = "cargo-vendor-normalise";
src = ./cargo-vendor-normalise.py;
nativeBuildInputs = [ python3.pkgs.wrapPython ];
dontUnpack = true;
installPhase = "install -D $src $out/bin/cargo-vendor-normalise";
pythonPath = [ python3.pkgs.toml ];
postFixup = "wrapPythonPrograms";
doInstallCheck = true;
installCheckPhase = ''
# check that ./fetchcargo-default-config.toml is a fix point
reference=${./fetchcargo-default-config.toml}
< $reference $out/bin/cargo-vendor-normalise > test;
cmp test $reference
'';
preferLocalBuild = true;
};
in
{ name ? "cargo-deps"
, src
, srcs
, patches
, sourceRoot
, sha256
, cargoUpdateHook ? ""
, # whenever to also include the Cargo.lock in the output
copyLockfile ? false
}:
stdenv.mkDerivation {
name = "${name}-vendor";
nativeBuildInputs = [ cacert git cargo-vendor-normalise cargo ];
inherit src srcs patches sourceRoot;
phases = "unpackPhase patchPhase installPhase";
installPhase = ''
if [[ ! -f Cargo.lock ]]; then
echo
echo "ERROR: The Cargo.lock file doesn't exist"
echo
echo "Cargo.lock is needed to make sure that cargoSha256 doesn't change"
echo "when the registry is updated."
echo
exit 1
fi
# Keep the original around for copyLockfile
cp Cargo.lock Cargo.lock.orig
export CARGO_HOME=$(mktemp -d cargo-home.XXX)
CARGO_CONFIG=$(mktemp cargo-config.XXXX)
${cargoUpdateHook}
mkdir -p $out
cargo vendor $out | cargo-vendor-normalise > $CARGO_CONFIG
# fetchcargo used to never keep the config output by cargo vendor
# and instead hardcode the config in ./fetchcargo-default-config.toml.
# This broke on packages needing git dependencies, so now we keep the config.
# But not to break old cargoSha256, if the previous behavior was enough,
# we don't store the config.
if ! cmp $CARGO_CONFIG ${./fetchcargo-default-config.toml} > /dev/null; then
install -D $CARGO_CONFIG $out/.cargo/config;
fi;
'' + stdenv.lib.optionalString copyLockfile ''
# add the Cargo.lock to allow hash invalidation
cp Cargo.lock.orig $out/Cargo.lock
'';
outputHashAlgo = "sha256";
outputHashMode = "recursive";
outputHash = sha256;
impureEnvVars = stdenv.lib.fetchers.proxyImpureEnvVars;
preferLocalBuild = true;
}