pkgs/build-support/fetchgit/default.nix at v192 · pyrox.dev/nixpkgs

pyrox.dev / nixpkgs
lol
nixpkgs / pkgs / build-support / fetchgit / default.nix
at v192 2.3 kB view raw
 1{stdenv, git, cacert}: let
 2  urlToName = url: rev: let
 3    base = baseNameOf (stdenv.lib.removeSuffix "/" url);
 4
 5    matched = builtins.match "(.*).git" base;
 6
 7    short = builtins.substring 0 7 rev;
 8
 9    appendShort = if (builtins.match "[a-f0-9]*" rev) != null
10      then "-${short}"
11      else "";
12  in "${if matched == null then base else builtins.head matched}${appendShort}";
13in
14{ url, rev ? "HEAD", md5 ? "", sha256 ? "", leaveDotGit ? deepClone
15, fetchSubmodules ? true, deepClone ? false
16, branchName ? null
17, name ? urlToName url rev
18}:
19
20/* NOTE:
21   fetchgit has one problem: git fetch only works for refs.
22   This is because fetching arbitrary (maybe dangling) commits may be a security risk
23   and checking whether a commit belongs to a ref is expensive. This may
24   change in the future when some caching is added to git (?)
25   Usually refs are either tags (refs/tags/*) or branches (refs/heads/*)
26   Cloning branches will make the hash check fail when there is an update.
27   But not all patches we want can be accessed by tags.
28
29   The workaround is getting the last n commits so that it's likly that they
30   still contain the hash we want.
31
32   for now : increase depth iteratively (TODO)
33
34   real fix: ask git folks to add a
35   git fetch $HASH contained in $BRANCH
36   facility because checking that $HASH is contained in $BRANCH is less
37   expensive than fetching --depth $N.
38   Even if git folks implemented this feature soon it may take years until
39   server admins start using the new version?
40*/
41
42assert md5 != "" || sha256 != "";
43assert deepClone -> leaveDotGit;
44
45stdenv.mkDerivation {
46  inherit name;
47  builder = ./builder.sh;
48  fetcher = ./nix-prefetch-git;
49  buildInputs = [git];
50
51  outputHashAlgo = if sha256 == "" then "md5" else "sha256";
52  outputHashMode = "recursive";
53  outputHash = if sha256 == "" then md5 else sha256;
54
55  inherit url rev leaveDotGit fetchSubmodules deepClone branchName;
56
57  GIT_SSL_CAINFO = "${cacert}/etc/ssl/certs/ca-bundle.crt";
58
59  impureEnvVars = [
60    # We borrow these environment variables from the caller to allow
61    # easy proxy configuration.  This is impure, but a fixed-output
62    # derivation like fetchurl is allowed to do so since its result is
63    # by definition pure.
64    "http_proxy" "https_proxy" "ftp_proxy" "all_proxy" "no_proxy"
65    ];
66
67  preferLocalBuild = true;
68}