-
-
Notifications
You must be signed in to change notification settings - Fork 14k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
dotnet: strip signature files from NuGet #326785
Conversation
07b8d56
to
a6e32ac
Compare
runCommand "${pname}.${version}.nupkg" { | ||
nativeBuildInputs = [ zip ]; | ||
ORIGINAL_NUPKG = from-source; | ||
# DOTNET_EXE = "${dotnet-sdk}/bin/dotnet"; |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Not yet been able to verify signatures, so skipping that for now.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
we should probably just do that in nuget-to-nix. no point in doing it again after that.
it might even be done already during restore, but I'm not sure.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
That seems reasonable. I'll delete that completely from this PR. (The thing we lose by relying on nuget-to-nix is any handling of certificate revocation, which has to happen at package download time. If this PR were merged as-is right now, then dotnet restore
at Nix build time would never see packages that contained signatures at all, so any revocation checks would have to happen at fetchNuget
time.)
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Do you think revocation lists would be distributed in the sdk, or would it always need to be online in order to check for revocation?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This depends on NUGET_CERT_REVOCATION_MODE
. I generally work with that variable set to offline
so that it checks only against the SDK's bundled lists, but that's because I'm usually behind a firewall and don't have access to the Internet.
Afraid I don't understand what ofborg is telling me here. I edited beatsabermodmanager to delete its |
pkgs/build-support/dotnet/make-nuget-deps/make-source-independent.sh
Outdated
Show resolved
Hide resolved
a6e32ac
to
9a12ee6
Compare
|
75ebd16
to
8b826fe
Compare
8b826fe
to
0f7774a
Compare
I've tested this end-to-end again; it does indeed remove the signatures. Currently running |
|
A member of the NuGet team points out:
I'm pretty sure we don't care about that: we don't care about recovering the original package so much as recovering a deterministic version of the package. |
0f7774a
to
1b1b23e
Compare
End-to-end test was again successful on 1b1b23e (a resulting dependency from NuGet.org correctly did not contain the signature); |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thanks! I'll give @NixOS/dotnet a chance to comment before merging.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM
1b1b23e
to
5271392
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Not sure if runCommand
is more appropriate here instead of stdenvNoCC.mkDerivation
(we don’t really need phases for running zip
command), but otherwise LGTM.
5271392
to
ba75bff
Compare
Oh noooo that doesn't produce any output at all when |
@Smaug123, yes, sorry for the confusion. We can zip "$src" --temp-path "$TMPDIR" --output-file "$out" --delete .signature.p7s || {
(( $? == 12 ))
install -Dm644 "$src" "$out"
} |
ba75bff
to
368fc1c
Compare
I'm running nixpkgs-review here too. Will post when done. |
Result of 1 package marked as broken and skipped:
90 packages built:
Note: this change essentially doubles disk usage for rebuilds, had to restart nixpkgs-review because I ended up running out of filesystem space. Just a thought (not asking to implement this in the PR) — perhaps we can add an option to run fetchNuGet {
pname = "protobuf-net";
version = "3.2.16";
hash = "…";
deleteSignatureInPostFetch = true;
} |
That's more or less what I was thinking about here: #326345 (comment) We just need to teach nuget-to-nix about it. |
I recently deleted Baldur's Gate III, which left me with plenty of room :P My |
I think there might be an intermittent failure in dotnet 9 VMR, unfortunately, so I wouldn't worry too much about that one. |
Result of 1 package failed to build:
104 packages built:
|
The only failure was ryujinx hanging during checkPhase, so I'll consider that a pass. |
Description of changes
Strip signature files from downloaded NuGet packages.
The result of this PR is that
fetchNuget
Nupkgs are source-independent per my testing.Ref #326345
Things done
nix.conf
? (See Nix manual)sandbox = relaxed
sandbox = true
nix-shell -p nixpkgs-review --run "nixpkgs-review rev HEAD"
. Note: all changes have to be committed, also see nixpkgs-review usage./result/bin/
)Add a 👍 reaction to pull requests you find important.