Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

buildGoModule: check go.sum is up-to-date #100013

Closed
wants to merge 1 commit into from
Closed

Conversation

@yihuang
Copy link
Contributor

@yihuang yihuang commented Oct 8, 2020

Motivation for this change

go mod vendor will modify go.sum file implicitly, so even if go.sum file is not up to date, it still runs fine, and that's not good.

Things done

We are supposed to use a readonly version of go mod vendor here if there is one, but there isn't, so the best we can do is check the go.sum is not modified after go mod vendor.

  • Tested using sandboxing (nix.useSandbox on NixOS, or option sandbox in nix.conf on non-NixOS linux)
  • Built on platform(s)
    • NixOS
    • macOS
    • other Linux distributions
  • Tested via one or more NixOS test(s) if existing and applicable for the change (look inside nixos/tests)
  • Tested compilation of all pkgs that depend on this change using nix-shell -p nixpkgs-review --run "nixpkgs-review wip"
  • Tested execution of all binary files (usually in ./result/bin/)
  • Determined the impact on package closure size (by running nix path-info -S before and after)
  • Ensured that relevant documentation is up to date
  • Fits CONTRIBUTING.md.
@kalbasit
Copy link
Member

@kalbasit kalbasit commented Oct 9, 2020

Many package owners don't do go mod tidy so this will force package maintainers to have to patch go.sum
IMO since we're locked on a specific commit of aby package, and we run go mod vendor it should produce a reproducible build. Have you found an edge case where it does not?

@yihuang
Copy link
Contributor Author

@yihuang yihuang commented Oct 10, 2020

Many package owners don't do go mod tidy so this will force package maintainers to have to patch go.sum
IMO since we're locked on a specific commit of aby package, and we run go mod vendor it should produce a reproducible build. Have you found an edge case where it does not?

I just find it annoying that sometimes nix-build success, but "go build -mod=readonly" fails, how about make it optional, add an argument “checkGoSum”?

@yihuang yihuang force-pushed the yihuang:checkgosum branch from a6072f1 to 05d7129 Oct 10, 2020
@zowoq
Copy link
Contributor

@zowoq zowoq commented Oct 10, 2020

I'm not in favour of merging this even if it is optional. I don't see it being useful for packages in this repo and I don't think we should add niche features for external use.

@yihuang
Copy link
Contributor Author

@yihuang yihuang commented Oct 10, 2020

Actually when thinking about reproducibility, I don’t think it’s proper reproducible if we don’t check both go.mod and go.sum.
I think “go mod vendor” will modify go.mod when necessary, when that happens, we got un-reproducible build. and go.mod only contains dependency’s git tag name rather than commit hash, so if some dependency maintainer force pushed a tag, we get non-reproducible build too.
I’ll make up some real test cases to verify them.

EDIT: I realize that we use vendorSha256 to ensure reproducibility, so it's actually fine. I'm closing this one, I can do the check in other scripts outside of nix-build.

@yihuang yihuang closed this Oct 10, 2020
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Linked issues

Successfully merging this pull request may close these issues.

None yet

3 participants
You can’t perform that action at this time.