diff --git a/maintainers/scripts/bootstrap-files/README.md b/maintainers/scripts/bootstrap-files/README.md index 9abc4402a414d..a353be6e3f602 100644 --- a/maintainers/scripts/bootstrap-files/README.md +++ b/maintainers/scripts/bootstrap-files/README.md @@ -11,10 +11,53 @@ These are called "bootstrap files". Bootstrap files should always be fetched from hydra and uploaded to `tarballs.nixos.org` to guarantee that all the binaries were built from the code committed into `nixpkgs` repository. -The uploads to `tarballs.nixos.org` are done by `@lovesegfault` today. +The uploads to `tarballs.nixos.org` are done by `@NixOS/infra` team members who have S3 write access. This document describes the procedure of updating bootstrap files in `nixpkgs`. +## How to upload bootstrap files (for infra team) + +When a PR updates bootstrap files, the commit message contains the upload commands. +Infra team members with S3 access can upload as follows: + +1. Clone or navigate to the [nixos-infra](https://github.com/NixOS/nixos-infra) repository and enter the `terraform` directory: + + ``` + $ cd nixos-infra/terraform + ``` + +2. Authenticate with AWS SSO: + + ``` + $ aws sso login + ``` + +3. Realize the build output locally (fetch from hydra cache): + + ``` + $ nix-store --realize /nix/store/-stdenv-bootstrap-tools + ``` + +4. Upload to S3 with public-read ACL: + + ``` + $ aws s3 cp --recursive --acl public-read \ + /nix/store/-stdenv-bootstrap-tools/on-server/ \ + s3://nixpkgs-tarballs/stdenv/// + ``` + +5. Verify the upload by downloading and checking hashes: + + ``` + $ aws s3 cp --recursive s3://nixpkgs-tarballs/stdenv/// ./ + $ sha256sum bootstrap-tools.tar.xz busybox + $ sha256sum /nix/store/-stdenv-bootstrap-tools/on-server/* + ``` + + Compare these hashes with those shown in the PR's commit message. + +The exact paths and hashes are provided in each bootstrap update commit message generated by `refresh-tarballs.bash`. + ## How to request the bootstrap seed update To get the tarballs updated let's use an example `i686-unknown-linux-gnu` target: @@ -34,7 +77,7 @@ To get the tarballs updated let's use an example `i686-unknown-linux-gnu` target To validate cross-targets `binfmt` `NixOS` helper can be useful. For `riscv64-unknown-linux-gnu` the `/etc/nixos/configuration.nix` entry would be `boot.binfmt.emulatedSystems = [ "riscv64-linux" ]`. -3. Propose the commit as a PR to update bootstrap tarballs, tag people who can help you test the updated architecture and once reviewed tag `@lovesegfault` to upload the tarballs. +3. Propose the commit as a PR to update bootstrap tarballs, tag people who can help you test the updated architecture and once reviewed tag `@NixOS/infra-build` to upload the tarballs. ## How to add bootstrap files for a new target diff --git a/pkgs/development/tools/build-managers/gnumake/default.nix b/pkgs/development/tools/build-managers/gnumake/default.nix index 6c02cf3a21bfe..c6840241c6095 100644 --- a/pkgs/development/tools/build-managers/gnumake/default.nix +++ b/pkgs/development/tools/build-managers/gnumake/default.nix @@ -37,9 +37,7 @@ stdenv.mkDerivation (finalAttrs: { # TODO: stdenv’s setup.sh should be aware of patch directories. It’s very # convenient to keep them in a separate directory but we can defer listing the # directory until derivation realization to avoid unnecessary Nix evaluations. - patches = - lib.filesystem.listFilesRecursive ./patches - ++ lib.optionals stdenv.hostPlatform.isMusl (lib.filesystem.listFilesRecursive ./musl-patches); + patches = lib.filesystem.listFilesRecursive ./patches; nativeBuildInputs = [ autoreconfHook diff --git a/pkgs/development/tools/build-managers/gnumake/patches/0001-No-impure-bin-sh.patch b/pkgs/development/tools/build-managers/gnumake/patches/0001-No-impure-bin-sh.patch index b553b31d997d7..cd30fd38be02a 100644 --- a/pkgs/development/tools/build-managers/gnumake/patches/0001-No-impure-bin-sh.patch +++ b/pkgs/development/tools/build-managers/gnumake/patches/0001-No-impure-bin-sh.patch @@ -1,7 +1,7 @@ From 532276a537fbfc08c946c9f808f1b0bb54e16523 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?J=C3=B6rg=20Thalheim?= Date: Sat, 24 Apr 2021 10:11:40 +0200 -Subject: [PATCH 1/3] No impure bin sh +Subject: [PATCH 1/5] No impure bin sh default_shell is used to populuate default shell used to execute jobs. Unless SHELL is set to a different value this would be /bin/sh. diff --git a/pkgs/development/tools/build-managers/gnumake/patches/0002-Remove-impure-dirs.patch b/pkgs/development/tools/build-managers/gnumake/patches/0002-Remove-impure-dirs.patch index 8ba6b743176f5..49f6e3543e7a8 100644 --- a/pkgs/development/tools/build-managers/gnumake/patches/0002-Remove-impure-dirs.patch +++ b/pkgs/development/tools/build-managers/gnumake/patches/0002-Remove-impure-dirs.patch @@ -1,7 +1,7 @@ -From 2db52008be2e2d504889f4f19318c2ba5a2a4797 Mon Sep 17 00:00:00 2001 +From 99dcf18f8c66c25e17e0b84c005b03000312eb8f Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?J=C3=B6rg=20Thalheim?= Date: Sat, 24 Apr 2021 10:20:16 +0200 -Subject: [PATCH 2/3] Remove impure dirs +Subject: [PATCH 2/5] Remove impure dirs Purity: don't look for library dependencies (of the form `-lfoo') in /lib and /usr/lib. It's a stupid feature anyway. Likewise, when @@ -40,5 +40,5 @@ index fe67ab28..1b76560c 100644 #if defined(WINDOWS32) && !defined(LIBDIR) /* -- -2.44.1 +2.51.2 diff --git a/pkgs/development/tools/build-managers/gnumake/patches/0003-Do-not-search-for-a-C-compiler-and-set-MAKE_CXX.patch b/pkgs/development/tools/build-managers/gnumake/patches/0003-Do-not-search-for-a-C-compiler-and-set-MAKE_CXX.patch index cb0ce4defb45b..a48b6192d2b13 100644 --- a/pkgs/development/tools/build-managers/gnumake/patches/0003-Do-not-search-for-a-C-compiler-and-set-MAKE_CXX.patch +++ b/pkgs/development/tools/build-managers/gnumake/patches/0003-Do-not-search-for-a-C-compiler-and-set-MAKE_CXX.patch @@ -1,7 +1,7 @@ -From 3317b3a78666e6073c63f62a322176e3dc680461 Mon Sep 17 00:00:00 2001 +From e63470a43889be3f61c71ca31e57b4e3c3da5961 Mon Sep 17 00:00:00 2001 From: Ivan Trubach Date: Sat, 17 Aug 2024 22:35:03 +0300 -Subject: [PATCH 3/3] Do not search for a C++ compiler and set MAKE_CXX +Subject: [PATCH 3/5] Do not search for a C++ compiler and set MAKE_CXX MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit @@ -79,5 +79,5 @@ index e396269b..78ba402f 100644 /* This expands to $(CO) $(COFLAGS) $< $@ if $@ does not exist, and to the empty string if $@ does exist. */ -- -2.44.1 +2.51.2 diff --git a/pkgs/development/tools/build-managers/gnumake/musl-patches/0004-Fix-signatures-for-getenv-getopt.patch b/pkgs/development/tools/build-managers/gnumake/patches/0004-Fix-signatures-for-getenv-getopt.patch similarity index 100% rename from pkgs/development/tools/build-managers/gnumake/musl-patches/0004-Fix-signatures-for-getenv-getopt.patch rename to pkgs/development/tools/build-managers/gnumake/patches/0004-Fix-signatures-for-getenv-getopt.patch diff --git a/pkgs/development/tools/build-managers/gnumake/musl-patches/0005-Fix-signatures-for-getenv-getopt.patch b/pkgs/development/tools/build-managers/gnumake/patches/0005-Fix-signatures-for-getenv-getopt.patch similarity index 100% rename from pkgs/development/tools/build-managers/gnumake/musl-patches/0005-Fix-signatures-for-getenv-getopt.patch rename to pkgs/development/tools/build-managers/gnumake/patches/0005-Fix-signatures-for-getenv-getopt.patch