pkgs/build-support/fetchgit/default.nix at 18.09-beta · pyrox.dev/nixpkgs

pyrox.dev / nixpkgs
lol
nixpkgs / pkgs / build-support / fetchgit / default.nix
at 18.09-beta 70 lines 2.4 kB view raw
 1{stdenvNoCC, git, cacert}: let
 2  urlToName = url: rev: let
 3    inherit (stdenvNoCC.lib) removeSuffix splitString last;
 4    base = last (splitString ":" (baseNameOf (removeSuffix "/" url)));
 5
 6    matched = builtins.match "(.*).git" base;
 7
 8    short = builtins.substring 0 7 rev;
 9
10    appendShort = if (builtins.match "[a-f0-9]*" rev) != null
11      then "-${short}"
12      else "";
13  in "${if matched == null then base else builtins.head matched}${appendShort}";
14in
15{ url, rev ? "HEAD", md5 ? "", sha256 ? "", leaveDotGit ? deepClone
16, fetchSubmodules ? true, deepClone ? false
17, branchName ? null
18, name ? urlToName url rev
19, # Shell code executed after the file has been fetched
20  # successfully. This can do things like check or transform the file.
21  postFetch ? ""
22}:
23
24/* NOTE:
25   fetchgit has one problem: git fetch only works for refs.
26   This is because fetching arbitrary (maybe dangling) commits may be a security risk
27   and checking whether a commit belongs to a ref is expensive. This may
28   change in the future when some caching is added to git (?)
29   Usually refs are either tags (refs/tags/*) or branches (refs/heads/*)
30   Cloning branches will make the hash check fail when there is an update.
31   But not all patches we want can be accessed by tags.
32
33   The workaround is getting the last n commits so that it's likely that they
34   still contain the hash we want.
35
36   for now : increase depth iteratively (TODO)
37
38   real fix: ask git folks to add a
39   git fetch $HASH contained in $BRANCH
40   facility because checking that $HASH is contained in $BRANCH is less
41   expensive than fetching --depth $N.
42   Even if git folks implemented this feature soon it may take years until
43   server admins start using the new version?
44*/
45
46assert deepClone -> leaveDotGit;
47
48if md5 != "" then
49  throw "fetchgit does not support md5 anymore, please use sha256"
50else
51stdenvNoCC.mkDerivation {
52  inherit name;
53  builder = ./builder.sh;
54  fetcher = "${./nix-prefetch-git}";  # This must be a string to ensure it's called with bash.
55  nativeBuildInputs = [git];
56
57  outputHashAlgo = "sha256";
58  outputHashMode = "recursive";
59  outputHash = sha256;
60
61  inherit url rev leaveDotGit fetchSubmodules deepClone branchName postFetch;
62
63  GIT_SSL_CAINFO = "${cacert}/etc/ssl/certs/ca-bundle.crt";
64
65  impureEnvVars = stdenvNoCC.lib.fetchers.proxyImpureEnvVars ++ [
66    "GIT_PROXY_COMMAND" "SOCKS_SERVER"
67  ];
68
69  preferLocalBuild = true;
70}