scyther: init at 1.1.3 #27006
scyther: init at 1.1.3 #27006
Conversation
| @@ -0,0 +1,30 @@ | |||
| { lib, callPackage, callPackage_i686, buildEnv | |||
| , includeGUI ? true | |||
There was a problem hiding this comment.
I don't know this package at all; how useful is it to its audience without the GUI? I'm wondering whether this should default to false.
There was a problem hiding this comment.
The package is advertised as a GUI application first, it provides visualizations the cli can't do easily.
There was a problem hiding this comment.
Thinking about it again, it might be better to default to false, the current NixOS target audience would probably prefer CLI tools (me included). Also the CLI tool doesn't have the mentioned runtime problems with certain protocol
There was a problem hiding this comment.
Why bother joining the two tools in a single output?
| paths = [ cli ] ++ lib.optional includeGUI gui; | ||
| pathsToLink = ["/bin"]; | ||
|
|
||
| postBuild = if includeGUI then '' |
There was a problem hiding this comment.
I did a double-take here. I think I understand what's happening; if the GUI's included, then link the GUI protocols in; otherwise, copy the (bare-bones?) protocols from the source package. But I'm not sure why. Can we get a comment explaining this trickery?
There was a problem hiding this comment.
Ah yes, I'm copying the whole ./gui directory from the source to $out, because that's where all the GUI is. I believe there is some way for the GUI to show these protocols, that's why they're there. But the CLI wouldn't include them, but because the protocols are so useful, I decided to have them in there anyways. Could be made a seperate output though, doesn't technically need to be there.
There was a problem hiding this comment.
And if I always copied them from source they would be duplicated in the case of includeGUI = true
| let | ||
| filtered = builtins.filter (s: s.name == "${version}") versions; | ||
| in if filtered != [] then fetchSource (builtins.head filtered) else | ||
| throw "Scyther version ${version} is not available, choose one of ${showVersions} instead."; |
|
Running it on Ubuntu doesn't work (the build succeeds though). I'll try to fix that and add some simple checks |
|
Now doesn't have any runtime problems (the problem I mentioned before was on both Ubuntu and NixOS btw). I added a simple execution of the program as a test. I couldn't get the default This package is done as far as I can tell. There are some issues when running certain protocols, but I'm 99.9% sure this is a bug in the package and has nothing to do with Nix. |
| # For some reason it doesn't use the C89 standard which would allow __inline__ | ||
| for file in *.* | ||
| do | ||
| substituteInPlace $file --replace "__inline__ " "" |
There was a problem hiding this comment.
Please do an upstream PR for this, such that we don't need to patch it ourselves. The rest of your PR looks good enough.
There was a problem hiding this comment.
The issue about this version.h file comes from the fact that the python script for its generation relies on being in a git repo (so it can check the tag/rev). This could be solved by doing a full checkout, but I don't think it's worth the build time dependency of python, considering the script is dead simple.
The issue with these __inline__ attributes I have no idea how to solve, cmake is supposed to use the C89 standard but it doesn't for some reason. If somebody could show me how it's done that would be awesome.
|
Ahh I just figured it out, I was able to remove the |
|
Here's a PR I opened when @infinisil was trying to package this https://github.com/NixOS/nixpkgs/pull/26785/files. Note that I do not use this package. |
| @@ -0,0 +1,26 @@ | |||
| { stdenv, lib, cmake, glibc, makeWrapper, fetchFromGitHub, flex, bison, source }: | |||
| stdenv.mkDerivation { | |||
| name = "scyther-cli-${source.rev}"; | |||
There was a problem hiding this comment.
a source revision is not a valid version for in Nixpkgs
| flex | ||
| bison | ||
| ]; | ||
| } |
There was a problem hiding this comment.
Thanks for the review!
Since only the drv in default.nix is intended to be used I only put meta there, it would be the same for all (internal) drvs.
| @@ -0,0 +1,30 @@ | |||
| { lib, callPackage, callPackage_i686, buildEnv | |||
| , includeGUI ? true | |||
There was a problem hiding this comment.
Why bother joining the two tools in a single output?
|
|
||
| format = "other"; | ||
|
|
||
| phases = [ "unpackPhase" "patchPhase" "installPhase" "fixupPhase" "testPhase" ]; |
|
|
||
| phases = [ "unpackPhase" "patchPhase" "installPhase" "fixupPhase" "testPhase" ]; | ||
|
|
||
| patchPhase = '' |
There was a problem hiding this comment.
postPatch, try not to override the phases
There was a problem hiding this comment.
I'll fix that
And my reply to your comment about joining the outputs (can't reply to that for some reason): it separates stuff nicely I think, since the source needs to be shared by both parts and the gui depends on the cli with this setup one can only install the cli if desired. I'll think about it once more but I believe it's the cleanest like this. One other solution would be to just use 2 top-level packaged as you did before
| ''; | ||
|
|
||
| # This would call wrapPythonPrograms which only wraps ones in $out/bin | ||
| dontWrapPythonPrograms = true; |
There was a problem hiding this comment.
if you don't want the wrappers you may as well just use stdenv.mkDerivation.
There was a problem hiding this comment.
Good call, I thought about this when writing it, I'll try this
| @@ -0,0 +1,33 @@ | |||
| { lib, fetchFromGitHub }: | |||
| let | |||
| versions = map (s: { name = s.rev; } // s) [ | |||
There was a problem hiding this comment.
We typically provide only a single version. If users want another version, they could override and pass their own src in.
There was a problem hiding this comment.
Heh, yes that is a very valid point, I thought it would be neat if it could be chosen between two releases which very much differ (very comparable to firefox and firefox-esr).
How about this: Getting rid of the master version (this can also fix the rev as version in your other comment) and making it possible to override source like all other packages?
| src = source; | ||
| preConfigure = '' | ||
| cd src | ||
| # Since we're not in a git dir, the normal command this project uses to create this file wouldn't work |
There was a problem hiding this comment.
This works until the moment it doesn't. Please add some kind of assertion checking that upstream didn't change their method of producing this string in a couple of versions.
| preConfigure = '' | ||
| cd src | ||
| # Since we're not in a git dir, the normal command this project uses to create this file wouldn't work | ||
| printf "#define TAGVERSION \"${source.rev}\"\n" >> version.h |
There was a problem hiding this comment.
The Python script writes to the file, you append to it. Your use of printf is potentially wrong depending on the value of ${source.rev}, so please use a format string.
|
@FRidh @0xABAB @MostAwesomeDude I redid the whole package, putting everything into a single derivation, abandoning the 'providing different versions by default' thing. While it was a cool idea, it's not the right thing to do. I fixed every mentioned flaw of previous review comments, except what @0xABAB said regarding the generation of the One big drawback of how its done now is that since everything (both cli and gui part) gets built using |
|
|
||
| patchPhase = '' | ||
| # Since we're not in a git dir, the normal command this project uses to create this file wouldn't work | ||
| printf "%s\n" "#define TAGVERSION \"${version}\"" >> src/version.h |
There was a problem hiding this comment.
You are still appending (>>) instead of writing (>) to src/version.h.
|
|
||
|
|
||
| configurePhase = '' | ||
| pushd src |
There was a problem hiding this comment.
(cd src && cmakeConfigurePhase) (including the parentheses does the same, right? (And is shorter and more portable.)
| ]; | ||
|
|
||
| dontUseCmakeBuildDir = true; | ||
| cmakeFlags = [ "-DCMAKE_C_FLAGS=\"-std=gnu89\"" ]; |
There was a problem hiding this comment.
"-DCMAKE_C_FLAGS=-std=gnu89" does the same.
| , includeProtocols ? true | ||
| }: | ||
| let | ||
| version = "v1.1.3"; |
There was a problem hiding this comment.
This version string is invalid. See builtins.parseDrvName. A version string must begin with a digit.
| stdenv.mkDerivation { | ||
| name = "scyther-${version}"; | ||
| src = fetchFromGitHub { | ||
| rev = "v1.1.3"; |
There was a problem hiding this comment.
Once the version has been fixed, you can do rev = v${version}.
There was a problem hiding this comment.
Thanks, didn't notice that, fixed now
|
Pinging @FRidh, the things you mentioned have all been corrected in the totally new revision of this package. |
|
Can somebody tell my why travis complains about wrong platform on Darwin even though I explicitly set platforms to linux only? https://travis-ci.org/NixOS/nixpkgs/jobs/254011342#L1544 |
| (cd src && cmakeConfigurePhase) | ||
| ''; | ||
|
|
||
| propagatedBuildInputs = [] ++ lib.optional includeGUI [ |
|
LGTM if @FRidh doesn't review and/or merge soon, let me know. |
That's why its better to build it in two separate derivations. The one, that just builds that little binary, and the other that puts it all together in one derivation. |
You set You can ignore this error because its expected behavior. |
|
@FRidh I'll make another revision to separate the two parts |
|
@FRidh I separated the package into two versions so it doesn't require 32-bit versions of everything. One thing I changed is the inclusion of protocols. If Since some things changed, I'd love the other reviewers to have another look (especially the |
|
@FRidh ping |
This PR adds the scyther application, a tool for automatic verification of security protocols. On GitHub
This is the first time I wrote a non-trivial amount of nix code, I tried to structure it well :)
I split the package up into 4 files:
sources.nixcontains different versions of the package. The official latest release is 1.1.3, there is also a Compromise-0.9.2 version which has some different performance characteristics which may not everybody want. Then I also included the latest commit from master, as the project hasn't seen a new release in a while and there were some bug fixes.cli.nixcontains the 32bit package for building the C part, which generates a single executable, usable by itself.gui.nixcontains the python GUI frontend, which uses the CLI at runtimedefault.nixcontains the actual package which builds a single environment. Using theincludeGUI(defaulttrue) option, one can choose to not to have the GUI, while theversionoption lets you select one of the three above mentioned versions.This split into multiple derivations is made to reduce build time and output path size.
Motivation for this change
Things done
(nix.useSandbox on NixOS,
or option
build-use-sandboxinnix.confon non-NixOS)
nix-shell -p nox --run "nox-review wip"./result/bin/)