From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mp12.migadu.com ([2001:41d0:403:4789::]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)) by ms9.migadu.com with LMTPS id cO34K+u152Q8ZwAASxT56A (envelope-from ) for ; Thu, 24 Aug 2023 21:56:27 +0200 Received: from aspmx1.migadu.com ([2001:41d0:403:4789::]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)) by mp12.migadu.com with LMTPS id eBqXK+u152TsbQAAauVa8A (envelope-from ) for ; Thu, 24 Aug 2023 21:56:27 +0200 Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by aspmx1.migadu.com (Postfix) with ESMTPS id 5F8AB5DED3 for ; Thu, 24 Aug 2023 21:56:27 +0200 (CEST) Authentication-Results: aspmx1.migadu.com; dkim=pass header.d=disroot.org header.s=mail header.b=iFP2RmBT; spf=pass (aspmx1.migadu.com: domain of "guix-devel-bounces+larch=yhetil.org@gnu.org" designates 209.51.188.17 as permitted sender) smtp.mailfrom="guix-devel-bounces+larch=yhetil.org@gnu.org"; dmarc=pass (policy=reject) header.from=disroot.org ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=yhetil.org; s=key1; t=1692906987; h=from:from:sender:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:cc:mime-version:mime-version: content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references:list-id:list-help: list-unsubscribe:list-subscribe:list-post:dkim-signature; bh=57WZjwShU7Q8HCEYn8/fdQmNv5RGhEiEQwElhcuSQpQ=; b=Bap2DlDLUjV7I+R7o4cDJ9mNzqwfMI7bdBJL/0zfJ7h2GOVKHUI/LTvtD7mWEZAbIVwXhp XwE6ZTdBaJ8kykh1JECuJw7GEWK6Ch4vSTUL0TOJFJaVGX0afvyB9RhK4ZNx1Zm73bYZK8 Fa3Ic/tmfLtz8i8B14fEeRXRL1gdBz8n5QGO+bh85NswgMD0WGZcBj8ide31yeprbdx6cz lCYwUnfD6ZrH/AaFmPpVnODemac7FLuouLAU585Rq2YMKDH3hVuH5YYmraIe9L3/gIPdn5 lVJPPLt3VKftYgFJM8jnL6Aj4w+P/6ravoI41X3f4tpVo8Tm8XO9T65LIMIxTQ== ARC-Seal: i=1; s=key1; d=yhetil.org; t=1692906987; a=rsa-sha256; cv=none; b=Is76PJZNm21GiBF1OuWFO4680TgXn3FiPY2sZ38aKu/gGdXumRtZ+Wmu8hk75BxeORpQjR WxLuBg0WEGOKUcLs5kTiXthxn+2ISKfwQimIXBrjWTUkg54nStPnqXGWgUIZGb9LqFH28t vbc610vhDt9G56c7YNWHbo7GmrO7D8x4xEvCt1LqxsO1lKbScBONhaR2tWXbgQ6S4nBNOc 6rNn3w81rz19XVNWCajWBlwmg2BRFCahSNA/MOe/I+4/x+4cUw+jFvbpICHzpV9bypB2e9 KkEz/IDut4kwlXQE2PnpKxhZTtkMiUVpb0zZiWd0vbl8Hc9ED2TQJYrGPDfMRQ== ARC-Authentication-Results: i=1; aspmx1.migadu.com; dkim=pass header.d=disroot.org header.s=mail header.b=iFP2RmBT; spf=pass (aspmx1.migadu.com: domain of "guix-devel-bounces+larch=yhetil.org@gnu.org" designates 209.51.188.17 as permitted sender) smtp.mailfrom="guix-devel-bounces+larch=yhetil.org@gnu.org"; dmarc=pass (policy=reject) header.from=disroot.org Received: from localhost ([::1] helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1qZGR2-0006a1-8w; Thu, 24 Aug 2023 15:56:04 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1qZGR0-0006ZZ-F2 for guix-devel@gnu.org; Thu, 24 Aug 2023 15:56:02 -0400 Received: from layka.disroot.org ([178.21.23.139]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1qZGQw-00066v-Uk for guix-devel@gnu.org; Thu, 24 Aug 2023 15:56:02 -0400 Received: from localhost (localhost [127.0.0.1]) by disroot.org (Postfix) with ESMTP id E479340D3D; Thu, 24 Aug 2023 21:55:56 +0200 (CEST) X-Virus-Scanned: SPAM Filter at disroot.org Received: from layka.disroot.org ([127.0.0.1]) by localhost (disroot.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id DIKt-_bP-R2N; Thu, 24 Aug 2023 21:55:56 +0200 (CEST) References: <77a0c1d6-1a3d-473b-b86d-1ff17cefe9de@moller.systems> <87a5ughqb0.fsf@disroot.org> DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=disroot.org; s=mail; t=1692906956; bh=N1IId3s59Yf97bD8Ch292wznOyEBzf1tP7KR68dzl8s=; h=References:From:To:Cc:Subject:Date:In-reply-to; b=iFP2RmBTkRe6/+SS0zhTtI/IHOqp789yQPJ5MimAM8OBSdyS7VrVIZawImFd1P3fo FmM2M9AStIqH+FwGz+gYokj5rg+drMr/IHSlq3EfD0mECSKxBdtTBrTP2Ju+RfYVZH /1ejLz7D9oKu/v9D6g56AIs1It53ZwGZ0J/CuFnFO84ifG6P+2a5Szm9vA8gpiXfHC vFUYubJngc77HaXFDMeHbzidA3a4fJORlldNMcz6koznoerNR5EGQMNqjMrdf8qNbw qLIzqJdmnk4e9KUMZUDXeWzla1Oi4glt7aw2AQPXeU7ph/OPkrhR5h5DHKPG68FmRJ AMbGbf9Ged7YQ== From: "(" To: Jonas =?utf-8?Q?M=C3=B8ller?= Cc: guix-devel@gnu.org Subject: Re: Why does Guix duplicate dependency versions from Cargo.toml? Date: Thu, 24 Aug 2023 20:40:51 +0100 In-reply-to: Message-ID: <87pm3c5i5w.fsf@disroot.org> MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable Received-SPF: pass client-ip=178.21.23.139; envelope-from=paren@disroot.org; helo=layka.disroot.org X-Spam_score_int: -20 X-Spam_score: -2.1 X-Spam_bar: -- X-Spam_report: (-2.1 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, SPF_HELO_NONE=0.001, SPF_PASS=-0.001 autolearn=ham autolearn_force=no X-Spam_action: no action X-BeenThere: guix-devel@gnu.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: "Development of GNU Guix and the GNU System distribution." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: guix-devel-bounces+larch=yhetil.org@gnu.org Sender: guix-devel-bounces+larch=yhetil.org@gnu.org X-Migadu-Flow: FLOW_IN X-Migadu-Country: US X-Migadu-Spam-Score: -4.76 X-Spam-Score: -4.76 X-Migadu-Queue-Id: 5F8AB5DED3 X-Migadu-Scanner: mx1.migadu.com X-TUID: NRhHT1yxG97G Hi, Sorry if I came off a bit harsh in the initial reply :) I didn't intend for it to read as a "ugh, how don't you understand this" sort of thing but that's what it appeared to be looking at it later. (Communication: It's Hard=E2=84=A2) Aaaaaaanyway.... Jonas M=C3=B8ller writes: > Interesting, Guix already has git/url-fetch, what is keeping Guix from si= mply > fetching a cargo project and then running `cargo build` in the fetched so= urce > directory? Okay, this will require a bit of explanation about how Guix's (and Nix's) derivations work. As I understand it, there are broadly two types of derivations: - fixed-output, used for things like - whatever-the-opposite-is-called, used for normal things like packages The reason fixed-output derivations are called that is because their hashes are *known before the derivation is built*, or at least their expected hashes; so Guix will download the file/repo, and if it doesn't match the given hash, it'll throw an error. Now, this means there's no reproducibility issue with internet access. If produced outputs O1 and and O2 are different, then either one or both will fail the hash check, and thus the output will never be built. There can never *be* a reproducibility issue because if there was one on the server side Guix would catch a hash-mismatch before the consequences of that irreproducibility were ever felt. Thus, *it is safe to allow internet access in a fixed-output build*, because reproducibility issues become null and void. Or, at least, that's how I understand it. On the flip side, of course, regular build scripts are not allowed to access anything (other than stuff we can't seem to figure out how to block, like system time) that could affect reproducibility. > If the problem is that the build daemon is sandboxed and doesn't have int= ernet > access, it is also feasible to have one stage of the build process downlo= ad all > the resources specified in Cargo.lock (and cache this in /gnu/store) and = rewrite > `version =3D "x.y.z"` to `path =3D "x/y/z"` before everything is passed t= o the build > daemon. This is actually *extraordinarily* close to what we already do. The cargo-build-system, when building a library, copies its entire source into the output directory (I know, I know... But without writing our own Rust build system, there's no alternative.) We use this source when building packages that depend on it; the sources of the #:CARGO-INPUTS of a package in the process of being built are copied into a 'guix-vendor' directory, and then we pass this flag to Cargo which makes it treat the vendor directory like a local package registry that takes precedence over crates.io. Hopefully that clears things up :) -- (