I am working on porting HHVM to Nix, and successfully make it work when sandboxing is disabled. HHVM was a package in nixpkgs however it was removed because the derivation was broken so I hope I could add it back to nixpkgs.
Unfortunately, the build script of HHVM would download its dependencies from internet, preventing it from building in a sandbox. I wonder if we have any general solution to deal with this situation?
I have some ideas like this
I would propose a more general solution, providing a special HTTP proxy to record URLs and hashes to download:
As a package maintainer, the usage would like this:
- Setting up the HTTP proxy as part of the derivation
- Adding a
passthru.updateScriptthat would build the derivation with
- Executing the
updateScript, which will trigger the special proxy to record files downloaded and the proxy will update the
nixfile to include recorded URLs and hashes as inputs.
- Building the derivation again with
--sandbox. This time the special proxy should redirect HTTP requests to these recorded files, which should have been downloaded locally because they are part of the derivation inputs.
I just wonder if there is anyone who have any attempt of a similar approach or if there is a better way to deal with the upstream build scripts that download files.