public: only embed a git revision in install.sh on release

[basvandijk]

This is more of a RFC rather than a PR but I would like to present something concrete so we can talk about it.

To goal is to get rid of deep cloning the sdk repo on CI which has the advantage that it should be more efficient to evaluate and more reproducible to build. Note that all other repos already don't deep clone themselves.

Not deep cloning the repo means that on CI there's no .git directory. The only derivation in sdk that used .git is install-sh-release.

We change its logic as follows:

pkgs.runCommandNoCC "install-sh-release" {
  ...
  revision = if version != "snapshot"
             then "${src.rev} (${version})"
             else "omitted when not a release";
  ...
}

On release version will be based on the git tag and will be a version number like 0.5.0. In that case the revision that gets embedded in install.sh is: 140bc06 (0.5.0).

Note that this is the revision corresponding to the 0.5.0 tag and not the revision of the last commit to public/install like it was before!

When not doing a release, like when building locally, on PRs or for master, version will be set to snapshot and revision will be set to a default of omitted when not a release. We do this so that we don't build the install-sh-release derivation for every commit.

[nmattia]

LGTM. I've seen it labeled as <dirty> in other projects, when the project is built out of source.

[basvandijk]

I've seen it labeled as in other projects, when the project is built out of source.

I like that as well.

In that case I think it also makes sense to set version / pkgs.releaseVersion to dirty.

[knl]

In Java projects it's common to name everything that is not a release a -snapshot, which feels a bit nicer than dirty, in case someone comes across such artifact.

What is <revision only present in release>? How does it get set up/chosen? Is it fixed, or it changes per release?

[basvandijk]

In Java projects it's common to name everything that is not a release a -snapshot, which feels a bit nicer than dirty, in case someone comes across such artifact.

I don't have a strong opinion on this so snapshot works for me as well.

What is <revision only present in release>?

It's the value for revision when not doing a release. So when building locally, on PRs or for master. And note that revision gets embedded in the install script.

How does it get set up/chosen?

The logic is the following:

  revision = if version != "snapshot"
             then "${builtins.substring 0 7  src.rev} (${version})"
             else "omitted when not a release";

So when version is not "snapshot", i.e. equals a release version, revision will be set the the git revision.

However, when version equals "snapshot" (on PRs for example) we don't want to embed a git revision in the install script because that would require rebuilding the script for each commit. So in that case we embed the string omitted when not a release.

Is it fixed, or it changes per release?

On a release revision will be set to "${builtins.substring 0 7 src.rev} (${version})" which means that the git revision of the release will be embedded in the install script. So yes, it will change for every release.

[nmattia]

Ah, there was a misunderstanding. I meant using <dirty> as the revision in case no revision is present.

[basvandijk]

I've changed revision to omitted when not a release when not doing a release such that install.sh prints the following message:

Executing DFINITY SDK install script, commit: omitted when not a release

[hansl]

In previous projects, dirty means there are local changes. Here it means the same. The version contains dirty in the case where there are local uncommitted changes. snapshot is probably more acceptable.

LGTM here.

[nomeata]

I have been thinking about the problem “how to let nix-built projects self-identify”, aiming for the following goals:

• Unrelated commits don’t cause rebuilds
• If the project was built from a given commit, given the self-identification, I can find the commit
• It is possible to build without .git around (e.g. when fetching the source via a github tarball)

Sounds tricky, but the following might do the job:

At build time, the build script calculates the hash of the source directory (source of the derivation, i.e. a filtered subdirectory), maybe using nix-hash --type sha256 --base32, and embeds this string in the executable.

This way, no .git is needed, and you get the same value even if unrelated things change.

To identify the revision that corresponds to such a source identification, we’d need a small tool that takes a git repo and a derivation therein, goes through the commits, instantiating (but not building!) the derivation at the various commits, and calculates the source hashes there. It could keep a cache to be not too slow.

Downsides:

• Dirty source trees would not be identified in a recognizable manner.
• It only works well when building with nix (i.e. clean subtree); when building with make or cargo directly it might make more sense to just use git describe.

Does this sound feasible?

[basvandijk]

@nomeata I think your goals are desirable.

As a self-identification I would suggest simply using the hash part of $out.

This is better than only using the hash of the source directory since it covers all changes to the derivation (source code, configuration flags, patches, environment variables, build- and run-time dependencies, build script, etc.).

Additionally $out is known at Nix evaluation time meaning that the tool that traverses the git history only needs to Nix evaluate. For example:

$ nix-store --query --outputs \
  $(nix-instantiate ci/ci.nix -A dfinity.rs.ic-replica-release.x86_64-linux) \
  | grep -oP '/nix/store/\K.*?(?=-)'
q64x9cn87sxsvb28ikv85hbpqnhhv7x8

And we likely don't even have to write this tool since Hydra already has a DB mapping $out to a build and a build to an evaluation and an evaluation to a git revision.

Or in a SQL query:

function revision_of_out() {
  out_hash="$1"
  ssh hydra-int.dfinity.systems \
    "sudo -u hydra psql -d hydra -c \"
      SELECT jsei.revision
      FROM
        buildstepoutputs  AS bso,
        builds            AS b1,
        builds            AS b2,
        jobsetevalmembers AS jsem,
        jobsetevalinputs  AS jsei
      WHERE
            bso.path LIKE '%$out_hash%'
        AND bso.build = b1.id
        AND b1.drvpath = b2.drvpath
        AND b2.jobset = 'dfinity'
        AND b2.id = jsem.build
        AND jsem.eval = jsei.eval
        AND jsei.name = 'src'
      \""
}

$ revision_of_out q64x9cn87sxsvb28ikv85hbpqnhhv7x8
                 revision
------------------------------------------
 78d7569ebeb8bb53ae71cd8cd575f703438b6efb
(1 row)

Let's start embedding $out in the products we ship!

[nomeata]

Right … I was thinking about the $out path, but … the reasons why I thought it wouldn’t work don’t seem to make sense anymore.

What is the tradeoff out $out vs. the path of the derivation?

[basvandijk]

What is the tradeoff out $out vs. the path of the derivation?

I was thinking that the former is possible but the latter isn't because of a circular dependency. However now I'm not so sure if it is impossible. Will think about it some more after I get some sleep...

I would actually prefer using the drv path instead of $out if that would be possible since the aforementioned query can then be simplified.

[nomeata]

I was thinking that the former is possible but the latter isn't because of a circular dependency. However now I'm not so sure if it is impossible.

I think nix could make it possible (just put the “current derivation” in a environment variable when building a derivation), but upon first glance it does not seem possible to trick nix into doing that from within nix.

[basvandijk]

I was hoping for this to but it appears there's no environment variable pointing to the derivation:

nix-build -E \
  'let pkgs = import <nixpkgs> {};
   in derivation {
     name = "embed-drv-test";
     system = builtins.currentSystem;
     builder = "${pkgs.coreutils}/bin/env";
   }'
these derivations will be built:
  /nix/store/yn7wfi1npz2lzhf1axx0n9fp26nrsmv4-embed-drv-test.drv
building '/nix/store/yn7wfi1npz2lzhf1axx0n9fp26nrsmv4-embed-drv-test.drv'...
HOME=/homeless-shelter
NIX_BUILD_CORES=8
NIX_BUILD_TOP=/private/var/folders/5h/b11m6fxj2tqgbxwz5bgjy42c0000gn/T/nix-build-embed-drv-test.drv-0
NIX_LOG_FD=2
NIX_STORE=/nix/store
PATH=/path-not-set
PWD=/private/var/folders/5h/b11m6fxj2tqgbxwz5bgjy42c0000gn/T/nix-build-embed-drv-test.drv-0
TEMP=/private/var/folders/5h/b11m6fxj2tqgbxwz5bgjy42c0000gn/T/nix-build-embed-drv-test.drv-0
TEMPDIR=/private/var/folders/5h/b11m6fxj2tqgbxwz5bgjy42c0000gn/T/nix-build-embed-drv-test.drv-0
TERM=xterm-256color
TMP=/private/var/folders/5h/b11m6fxj2tqgbxwz5bgjy42c0000gn/T/nix-build-embed-drv-test.drv-0
TMPDIR=/private/var/folders/5h/b11m6fxj2tqgbxwz5bgjy42c0000gn/T/nix-build-embed-drv-test.drv-0
builder=/nix/store/ss8mv0709ychhy5hrlqas1xrk3xyr6s9-coreutils-8.31/bin/env
name=embed-drv-test
out=/nix/store/m9npdbsnz90blsmqi7ai875230ryz9pl-embed-drv-test
system=x86_64-darwin

$out it is.

[nmattia]

I don't understand the meaning of snapshot here. "That's how they do it in Java" is not a good enough argument.

[basvandijk]

What about "unreleased"?

[nmattia]

what about "nightly"?

[basvandijk]

Mmm "nightly" is usually used for periodic (every night) builds which doesn't apply to these builds which happen on every PR / every commit to master.

In most contexts "nightly" builds are actually released (See Firefox Nightly for example) which we don't want to do for our PRs.

[nmattia]

true. unreleased, tree, trunk, whatever you like! I'd even be happy with snapshot if I understood what it meant.

[basvandijk]

@knl do you have a definition for snapshot? Or maybe another nice color to paint this shed?

[basvandijk]

I've changed it to unreleased.

[nmattia]

there's an assumption that if version != "snapshot" then src != null. It'd be more robust to embed the revision iff revision is not null, and (independently) insert the version iff version is not null.

[basvandijk]

Fair enough. Will change.

[basvandijk]

I've changed the condition to src != null && version != "unreleased" which ensures that both src and version need to be set correctly to produce the "${builtins.substring 0 7 src.rev} (${version})" string.

[nmattia]

why not

revision = optionalString (!isNull src) (substring 0 7 src.rev) + optionalString (!isNull version) "(${version})"

?

even if no version is given, the commit is still very useful

[basvandijk]

Because that will rebuild this thing on every commit which would involve unnecessary churn and wasn't what the original behavior.