The 2 builder “rules” imply that some derivations can’t produce arbitrary outputs. How does that work?
- Are allowed to access the network
- Do arbitrary computation, with a known output
- For example: download and patch a source archive
- Any derivation can provide an output hash to turn into a
FOD
stdenv.mkDerivation {
# ...
outputHashAlgo = "sha256";
outputHashMode = "recursive";
outputHash = "0lwdl06lbpnaqqjk8ap9dsags3bzma30z17v0zc7spng1gz8m6xj";
}The derivation will fail if the output hash doesn’t match the expectation.
hash mismatch in fixed-output derivation '/nix/store/436kql2xd5acg3xkrdbgz3lzzmrazrfi-test-derivation':
wanted: sha256:0lwdl06lbpnaqqjk8ap9dsags3bzma30z17v0zc7spng1gz8m6xj
got: sha256:0clr01hmi9hy6nidvr2wzh8k13acsx8vd25jhy48hxgnjkxw6kap
error: build of '/nix/store/mr6pk4af05xa5h9mihi85qzif1yp8l6a-test-derivation.drv' failed
Fixed output builders are a common foot-gun! Let’s look at an example.
stdenv.mkDerivation rec {
name = "tokei";
src = pkgs.fetchurl {
url = "https://github.com/XAMPPRocky/${name}/tarball/master";
sha256 = "sha256-K0bIHHBTo31slbSWW/ruM7iYzb8rwmmuVCUehqDzAZc=";
};
# ...
}What happens if latest.tar.gz changes?
Two issues can interact here:
- Nix hashes inputs and thus won’t re-run the builder if an output for it already exists in the nix store
- Fixed output derivations are accessible via their outputs too, meaning that changing the input to the builder won’t re-run it.
How would you re-run a fixed-output-derivation builder?