Add Nix packaging #31
Conversation
Co-authored-by: dvn <git@dvn.me>
Some crypto libraries missing for 32-bit x86.
|
|
||
| vendorHash = "sha256-4/AteWLY9biTspcXcyzK1gNwzkQfFoNq89yJheswf4s="; | ||
| # This hash is may drift from the actual vendoring and break the build, | ||
| # see https://nixos.org/manual/nixpkgs/unstable/#ssec-language-go. |
There was a problem hiding this comment.
I'm not sure what this comment means exactly; is this not the hash of the deps as they exist in your branch? Anyway, I made a new PR #38 on top of this and naturally had to change this hash (as I merged main, which changed lots in go.mod). If I understand correctly we'll need to change this whenever we change go.mod in the future... while the non-golang nix build deps are pinned via flake.lock. (Right?)
There was a problem hiding this comment.
Yes.
I'm not familiar enough with Go modules and vendoring to explain exactly what this is, but Nix is fetching all the vendored dependencies and then verifying that it is doing this deterministically by comparing the result of the fetch against a hash. To get the current hash this would be set to null or lib.fakeHash, run the build, and extract the generated hash from the build failure. This gets tricky because if the hash of the output of the fetch is know, it can be cached indefinitely, so if it gets out of sync a machine that built the previous deps would use the old deps, and on a machine where the cached deps aren't present it would try to re-fetch but fail because the hash is different.
|
Superseded by #38 |
Add some metadata for building a Nix package.
After merging the package can be built deterministically with
nix build github:katzenpost/katzen(if flake mode is locally enabled, not yet the default for Nix).To test the build run
nix build github:ehmry/katzen/flake -L.