feat: better document Rust template

[mkenigs]

Add comments about imports, outputHashes, and buildInputs

[tomberek]

There is a “nix-prefetch-url/git” approach that is technically more correct than using the fakeSha. We should mention that as well.

[ysndr]

libiconv is pretty commonly referenced on macos too
We should also link to the different apple frameworks or explain how to read the linker error messages in the nix context

[mkenigs]

I'm not incredibly familiar with all the different apple frameworks - would you be able to explain that? Or point me to some docs?

[ysndr]

Me neither my familiarity stems from trying to build rust projects and ever so often the linker fails
Security is a fairly frequent one (e.g. its a transitive dependency of the very popular tokio web-stack)

[mkenigs]

Haha okay I'll poke around

[mkenigs]

Added comments about linker failures. I think we a need a way for users to find frameworks, and I put a comment with desired behavior in the last commit, but that's not reality yet

[ysndr]

As @tomberek mentioned the less weird way of getting the hash should be

nix store prefetch-file "<url>"

However the url part is not necessarily known for cargo dependencies 🤔

[mkenigs]

Will the url be apparent for any dependency a user needs to set the output hash? I feel like we should just recommend the one simplest way

[ysndr]

no with these generated ones its usually quite difficult to anticipate the url

[mkenigs]

Then I think I would only document the fakeSha256 approach, since this is targeted at a first time user. cc @tomberek

[ysndr]

Yes, ultimately thats a nix ux issue we won't solve now

[elbart]

Tbh, I think it's not the solution we would need in the end, since I definitely do not want to maintain these hashes here manually (those are actually pinned within Cargo.lock). I see that there is an issue (Matthew found that one here: NixOS/nixpkgs#183344) but the provided solution is a workaround for that one (at least from my "simple" user perspective). I therefore suggest to put the actual issue link to the comments as well and somehow record a future todo to revisit / remove the workaround as soon as the nixpkgs issue is solved.

[mkenigs]

👍 tracking the issue of managing the hashes manually

[ysndr]

Unfortunately NixOS/nixpkgs#183344 seems to be a different issue,but one we have to be aware of regardless.

[ysndr]

@elbart
As a bit of a background

Cargo locks git and registry dependencies differently.

In case of registry provided dependencies (your standard crates.io for example) the lock looks like this:

[[package]]
name = "anyhow"
version = "1.0.43"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "28ae2b3dec75a406790005a200b1bd89785afc02517a00ca99ecfe093ee9e6cf"
dependencies = [
 "backtrace",
]

Cargo adds a checksum to verify the integrity of the downloaded package, this checksum is reused by nix as the hash for this package, hence no need to specify it again.

On the other hand git dependencies are locked like this:

[[package]]
name = "libc"
version = "0.2.126"
source = "git+https://github.com/rust-lang/libc?rev=f143f2b9ace1c9b99dd5c104470e94f5990ed7d2#f143f2b9ace1c9b99dd5c104470e94f5990ed7d2"

There is no checksum provided here as cargo considers the git rev to provide enough integrity guarantees.
Nix does not though. Broadly speaking, any resource fetched by nix needs a checksum.
Nix can't derive it from the lock file so you need to specify it separately.

//

As a side note, (you don't need to look into these yourself these projects might be overwhelming without the nix background)

Alternatively to this pure nix approach, there are external tools that separately, convert your Cargo.toml/Cargo.lock into a nix variant. Since these tools are not part of the nix build they can download and checksum the git dependencies as well as e.g. improve build caching.