-
-
Notifications
You must be signed in to change notification settings - Fork 12.8k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
RFC: Minimise accidental users of minimal-bootstrap
package set
#244966
Comments
Related #227914 |
minimal-bootstrap
package setminimal-bootstrap
package set
I think I would just create a new See also https://discourse.nixos.org/t/nixpkgs-cli-working-group-member-search/30517 which would give Nixpkgs more direct control over the JSON Repology gets, rather than hoping |
(I liked the original title better; Nix has a culture-specific redefinition of what "RFC" means, and an entire baroque process for doing them).
Honestly this sounds like a problem with Repology, not Nixpkgs.
Easy solution: don't expose it as a top-level entry in |
I would not like to just put in |
Ah, I see. Okay, sounds good. My point was that |
Search and Repology use the packages.json we export as part of the channel tarballs. What's listed in the JSON is what they will show. I think the solution to this issue is simply to not recurse into the There's two ways of doing that:
1. would stop recursion for all tools making use of nix-env to generate the whole list of packages in Nixpkgs including tools such as ofBorg, nixpkgs-review and |
Yeah |
@Atemu would you be able to make a PR for 2 please? It sounds good, I'm just not 100% confident I understand enough to implement it right myself |
Background
The
minimal-bootstrap
package set's goal to provide an opaque replacement forbootstrap-tools
in the stdenv. The chain to get from the seed binary to that point includes many packages that may be outdated, insecure, or contain broken/missing features. In addition the research into bootstrappable builds is always evolving, and we may want to add or remove packages into the internal dependency chain without guarantee of stability. These packages are not intended to be used directly by end-users.Issues
Tools (such as search.nixos.org, repology, etc.) currently index this package set and provide discoverability to users. Trying to use these packages in the real world will currently most likely fail, warning you that the only supported platform is
i686-linux
. However a more robust conditional check with better errors and documentation could be implemented to limit accidental use.Another potential minor annoyance might be vulnerability scanning tools detecting the use of old package versions deep down in the stdenv bootstrap and triggering a false-positive. Example (repology)
There are some tools that evaluate this package set that we do want to keep working. An important example would be Ofborg's eval checks and maintainer pings.
Ideas
config
flag that guards usage of the package set with explanation and background information in an error message.minimal-bootstrap
to something in a similar spirit to ReactJS's__SECRET_DOM_DO_NOT_USE_OR_YOU_WILL_BE_FIRED
I came up with two potential improvements but neither would completely solve all the issues. I'm very interested to get everyone's ideas and comments to work together for a solution.
Maintainers
@amjoseph-nixpkgs @Artturin @Ericson2314 @06kellyjac @siraben
The text was updated successfully, but these errors were encountered: