Here is a separate set of packages all built starting from a single 357 byte binary seed. Everything else is built from source, working all the way up to gcc. The project does not depend on NixPkgs. The only dependency is the lib experiment in the same repository.
Note that only i686-linux packages are available here, cross compilation is left as future work for anyone interested.
And a huge thanks to @emilytrau for her work on the minimal-bootstrap packages in NixPkgs as well as her help and advice while I have been getting this set up.
25 Likes
That sounds really cool! How is it different from what Nixpkgs does? How are those differences more or less desirable in what circumstances?
I’d love to read a blog-post-length explanation of how this works and what problem it solves.
2 Likes
The 357-byte binary seed appears to be the same as the one the Guix project uses. More information at Guix’s blog post:
4 Likes
Linking the progress on Nixpkgs for reference:
opened 11:48AM - 15 May 21 UTC
0.kind: enhancement
1.severity: mass-rebuild
6.topic: reproducible builds
6.topic: stdenv
## Motivation
Currently, NixOS relies on a 130 MB (uncompressed) [bootstrap](ht… tps://github.com/NixOS/nixpkgs/blob/50a11f4f4301b9b4cb1f3041fca4f2e71a73d4a5/pkgs/stdenv/linux/bootstrap-files/x86_64.nix) for x86_64-linux. Thus, there is quite a big trusted computing base. With years of effort accumulated in projects such as [live-bootstrap](https://github.com/fosslinux/live-bootstrap), it appears feasible to replace the Linux stdenv with a far smaller base of around 1 KB, while retaining the latest versions of autotools, bash, gcc and so on to bootstrap the rest of Nixpkgs.
See also bootstrap seed reduction carried out in Guix[0].
## References
[0] https://guix.gnu.org/blog/2020/guix-further-reduces-bootstrap-seed-to-25/
NixOS:master ← emilytrau:trusting-trust
opened 05:07AM - 24 Apr 23 UTC
###### Description of changes
<!--
For package updates please link to a chan… gelog or describe changes, this helps your fellow maintainers discover breaking updates.
For new packages please briefly describe the package or provide a link to its homepage.
-->
This starts work on building a bootstrap toolchain from a 256-byte binary seed. The aim is to build up to, and hopefully replace, stdenv's trusted bootstrap-tools bundle. It would also have the advantage of reducing the need for manual action by maintainers whenever a bootstrap update is required.
By building the new toolchain from-the-bottom-up it should be quicker to incrementally build, review, and merge smaller additions without mass rebuilds.
This PR implements packages for `stage0-posix`, `mes`, and `tinycc`. I've decided to limit the scope here to not make it too large for review.
Only `i686-linux` has been implemented for now. To test `nix-build --system i686-linux . -A trusting-trust.tinycc-with-mes-libc`
###### Things done
- Built on platform(s)
- [x] x86_64-linux
- [ ] aarch64-linux
- [ ] x86_64-darwin
- [ ] aarch64-darwin
- [ ] For non-Linux: Is `sandbox = true` set in `nix.conf`? (See [Nix manual](https://nixos.org/manual/nix/stable/command-ref/conf-file.html))
- [ ] Tested, as applicable:
- [NixOS test(s)](https://nixos.org/manual/nixos/unstable/index.html#sec-nixos-tests) (look inside [nixos/tests](https://github.com/NixOS/nixpkgs/blob/master/nixos/tests))
- and/or [package tests](https://nixos.org/manual/nixpkgs/unstable/#sec-package-tests)
- or, for functions and "core" functionality, tests in [lib/tests](https://github.com/NixOS/nixpkgs/blob/master/lib/tests) or [pkgs/test](https://github.com/NixOS/nixpkgs/blob/master/pkgs/test)
- made sure NixOS tests are [linked](https://nixos.org/manual/nixpkgs/unstable/#ssec-nixos-tests-linking) to the relevant packages
- [ ] Tested compilation of all packages that depend on this change using `nix-shell -p nixpkgs-review --run "nixpkgs-review rev HEAD"`. Note: all changes have to be committed, also see [nixpkgs-review usage](https://github.com/Mic92/nixpkgs-review#usage)
- [x] Tested basic functionality of all binary files (usually in `./result/bin/`)
- [23.05 Release Notes (or backporting 22.11 Release notes)](https://github.com/NixOS/nixpkgs/blob/master/CONTRIBUTING.md#generating-2305-release-notes)
- [ ] (Package updates) Added a release notes entry if the change is major or breaking
- [ ] (Module updates) Added a release notes entry if the change is significant
- [ ] (Module addition) Added a release notes entry if adding a new NixOS module
- [x] Fits [CONTRIBUTING.md](https://github.com/NixOS/nixpkgs/blob/master/CONTRIBUTING.md).
<!--
To help with the large amounts of pull requests, we would appreciate your
reviews of other pull requests, especially simple package updates. Just leave a
comment describing what you have tested in the relevant package/service.
Reviewing helps to reduce the average time-to-merge for everyone.
Thanks a lot if you do!
List of open PRs: https://github.com/NixOS/nixpkgs/pulls
Reviewing guidelines: https://nixos.org/manual/nixpkgs/unstable/#chap-reviewing-contributions
-->
cc @emilytrau .
6 Likes
I was wondering if all derivation could be avoided and builder could be used.
# https://git.auxolotl.org/auxolotl/labs/src/branch/main/tidepool/src/packages/foundation/gcc/default.nix#L48
src = lib.options.create {
- type = lib.types.derivation
+ type = lib.types.builder;
description = "The mpfr source for the package.";
};
.
.
.
# https://git.auxolotl.org/auxolotl/labs/src/branch/main/tidepool/src/packages/foundation/gcc/default.nix#L201
- src = builtins.fetchurl {
+ src = {
+ builder = builtins.fetchurl;
url = "${mirrors.gnu}/mpfr/mpfr-${config.mpfr.version}.tar.xz";
sha256 = "J3gHNTpnJpeJlpRa8T5Sgp46vXqaW3+yeTiU4Y8fy7I=";
};
.
.
.
# https://git.auxolotl.org/auxolotl/labs/src/branch/main/tidepool/src/packages/foundation/gcc/default.nix#L134
unpack = lib.dag.entry.before ["patch"] ''
# Unpack
- tar xf ${config.mpfr.src}
+ tar xf ${config.mpfr.src.drv} # not sure if this is possible
+ tar xf ${lib.drv config.mpfr.src} # alternative take
'';
Use cases:
Override hash or url
Exporting SBOM without fetching src
2 Likes