RFC: Minimise accidental users of minimal-bootstrap package set
#244966
Comments
emilytrau
added
0.kind: enhancement
6.topic: bootstrap
|
Related #227914 |
emilytrau
changed the title
minimal-bootstrap package setminimal-bootstrap package set
|
I think I would just create a new See also https://discourse.nixos.org/t/nixpkgs-cli-working-group-member-search/30517 which would give Nixpkgs more direct control over the JSON Repology gets, rather than hoping |
|
(I liked the original title better; Nix has a culture-specific redefinition of what "RFC" means, and an entire baroque process for doing them).
Honestly this sounds like a problem with Repology, not Nixpkgs.
Easy solution: don't expose it as a top-level entry in |
|
I would not like to just put in |
Ah, I see. Okay, sounds good. My point was that |
|
Search and Repology use the packages.json we export as part of the channel tarballs. What's listed in the JSON is what they will show. I think the solution to this issue is simply to not recurse into the There's two ways of doing that:
1. would stop recursion for all tools making use of nix-env to generate the whole list of packages in Nixpkgs including tools such as ofBorg, nixpkgs-review and |
|
Yeah |
|
@Atemu would you be able to make a PR for 2 please? It sounds good, I'm just not 100% confident I understand enough to implement it right myself |
ghost
closed this as 
Background
The
minimal-bootstrappackage set's goal to provide an opaque replacement forbootstrap-toolsin the stdenv. The chain to get from the seed binary to that point includes many packages that may be outdated, insecure, or contain broken/missing features. In addition the research into bootstrappable builds is always evolving, and we may want to add or remove packages into the internal dependency chain without guarantee of stability. These packages are not intended to be used directly by end-users.Issues
Tools (such as search.nixos.org, repology, etc.) currently index this package set and provide discoverability to users. Trying to use these packages in the real world will currently most likely fail, warning you that the only supported platform is
i686-linux. However a more robust conditional check with better errors and documentation could be implemented to limit accidental use.Another potential minor annoyance might be vulnerability scanning tools detecting the use of old package versions deep down in the stdenv bootstrap and triggering a false-positive. Example (repology)
There are some tools that evaluate this package set that we do want to keep working. An important example would be Ofborg's eval checks and maintainer pings.
Ideas
configflag that guards usage of the package set with explanation and background information in an error message.minimal-bootstrapto something in a similar spirit to ReactJS's__SECRET_DOM_DO_NOT_USE_OR_YOU_WILL_BE_FIREDI came up with two potential improvements but neither would completely solve all the issues. I'm very interested to get everyone's ideas and comments to work together for a solution.
Maintainers
@amjoseph-nixpkgs @Artturin @Ericson2314 @06kellyjac @siraben
The text was updated successfully, but these errors were encountered: