Https://search.nixos.org/packages - source links

igel · April 15, 2022, 6:54am

https://search.nixos.org/packages

Why is nix 2.3.16 and nix 2.7 linked to the same source code?

NobbZ · April 15, 2022, 7:41am

Because the file containing the meta attribute is the same.

Probably the actual derivations just differ in the sources passed in from somewhere else.

Yes, as expected, the actual definitions per attribute all use a common function to build from different sources:

github.com

NixOS/nixpkgs/blob/a62ce97f92b8b197ab6f278132535c1abf713ba0/pkgs/tools/package-management/nix/default.nix#L219-L301


      
          in rec {
          
          
  nix = nixStable;
          
          
  nixStable = nix_2_3;
          
          
  nix_2_3 = callPackage common (rec {
              pname = "nix";
              version = "2.3.16";
              src = fetchurl {
                url = "https://nixos.org/releases/nix/${pname}-${version}/${pname}-${version}.tar.xz";
                sha256 = "sha256-fuaBtp8FtSVJLSAsO+3Nne4ZYLuBj2JpD2xEk7fCqrw=";
              };
          
          
    boehmgc = boehmgc_nix;
          
          
    inherit storeDir stateDir confDir;
            });
          
          
  nix_2_4 = callPackage common (rec {

This file has been truncated. show original

igel · April 15, 2022, 7:55am

If I understand this right, it means that it can be totally different from the source code shown (because it is fetching anything from the URL)

NobbZ · April 15, 2022, 9:16am

Not sure what you mean.

The source link in the package search is meant to point to the package source, the nix expression used to build the package.

And the download can’t really be anything, it has to match the given content hash.

igel · April 15, 2022, 9:32am

sure the hash has to match but everyone could change the URL and hash to texlive

it could have “nothing” to do with the code / source where it is liked to

NobbZ · April 15, 2022, 9:43am

Yes, you have to trust here that it is correct. You have this problem everywhere, nix, pacman, portage, Deb, RPM, you name it.

nixinator · April 15, 2022, 10:24am

It is TOFU , trust on first use…

However, you can always download the source code yourself, and hash it, and see if it gives you joy.

Nix won’t stop this kinda of trust issue, but it sure hell hard to ‘cover it up’, unless git history can be rewritten, and that’s a different kind of problem!.

I had mismatch hash at some point, fetching a tarball. Alarms bells rang! After investigation it seems the source release had the same name but had different code (a patch). It was minor so ‘they’ just released it under the same version and name. Probably to avoid breakage somewhere.

Did the maintainer know that is was different source? or did someone, something, change it? Was it a deep cybersecurity trust problem, an accident or by design. Did the web server serve me a different file that one time because it knew who ‘i was’… I’d rather have some kind of TOFU hashing rather that non at all.

The world is not reproducible, nix fights this everyday, are you going to join the fight ;-).

Good or bad? only time will tell.