Merge pull request nix-community#274 from Atemu/2024

flake: bump to 2024

Author: Atemu

flake.lock

@@ -2,15 +2,14 @@
   description = "Build Android (AOSP) using Nix";
 
   inputs = {
-    nixpkgs.url = "github:NixOS/nixpkgs/nixos-23.11";
-    nixpkgs-unstable.url = "github:NixOS/nixpkgs/nixos-unstable";
+    nixpkgs.url = "github:NixOS/nixpkgs/nixos-24.11";
 
     androidPkgs.url = "github:tadfisher/android-nixpkgs/stable";
 
     flake-compat.url = "github:nix-community/flake-compat";
   };
 
-  outputs = { self, nixpkgs, nixpkgs-unstable, androidPkgs, flake-compat,  ... }@inputs: let
+  outputs = { self, nixpkgs, androidPkgs, flake-compat,  ... }@inputs: let
     pkgs = import ./pkgs/default.nix { inherit inputs; };
   in {
     # robotnixSystem evaluates a robotnix configuration
@@ -43,7 +42,7 @@
 
         # For chromium updater script
         # python2
-        cipd git
+        # cipd git
 
         cachix
       ];

flake.nix

@@ -2,16 +2,19 @@
 # - no revision specified and remote has a HEAD which is used
 # - revision specified and remote has a HEAD
 # - revision specified and remote without HEAD
+#
+if [ -e "$NIX_ATTRS_SH_FILE" ]; then . "$NIX_ATTRS_SH_FILE"; elif [ -f .attrs.sh ]; then . .attrs.sh; fi
 source $stdenv/setup
 
-header "exporting $url (rev $rev) into $out"
+echo "exporting $url (rev $rev) into $out"
 
 $SHELL $fetcher --builder --url "$url" --out "$out" --rev "$rev" \
   ${leaveDotGit:+--leave-dotGit} \
   ${fetchLFS:+--fetch-lfs} \
   ${deepClone:+--deepClone} \
   ${fetchSubmodules:+--fetch-submodules} \
+  ${sparseCheckout:+--sparse-checkout "$sparseCheckout"} \
+  ${nonConeMode:+--non-cone-mode} \
   ${branchName:+--branch-name "$branchName"}
 
 runHook postFetch
-stopNest

pkgs/fetchgit/builder.sh

@@ -7,15 +7,22 @@
 
     short = builtins.substring 0 7 rev;
 
-    appendShort = if (builtins.match "[a-f0-9]*" rev) != null
-      then "-${short}"
-      else "";
+    appendShort = lib.optionalString ((builtins.match "[a-f0-9]*" rev) != null) "-${short}";
   in "${if matched == null then base else builtins.head matched}${appendShort}";
 in
-{ url, rev ? "HEAD", md5 ? "", sha256 ? "", hash ? "", leaveDotGit ? deepClone
+lib.makeOverridable (lib.fetchers.withNormalizedHash { } (
+# NOTE Please document parameter additions or changes in
+#   doc/build-helpers/fetchers.chapter.md
+{ url
+, tag ? null
+, rev ? null
+, leaveDotGit ? deepClone
+, outputHash ? lib.fakeHash, outputHashAlgo ? null
 , fetchSubmodules ? true, deepClone ? false
 , branchName ? null
-, name ? urlToName url rev
+, sparseCheckout ? []
+, nonConeMode ? false
+, name ? null
 , # Shell code executed after the file has been fetched
   # successfully. This can do things like check or transform the file.
   postFetch ? ""
@@ -26,11 +33,13 @@ in
 , # Impure env vars (https://nixos.org/nix/manual/#sec-advanced-attributes)
   # needed for netrcPhase
   netrcImpureEnvVars ? []
+, meta ? {}
+, allowedRequisites ? null
 }:
 
 /* NOTE:
    fetchgit has one problem: git fetch only works for refs.
-   This is because fetching arbitrary (maybe dangling) commits may be a security risk
+   This is because fetching arbitrary (maybe dangling) commits creates garbage collection risks
    and checking whether a commit belongs to a ref is expensive. This may
    change in the future when some caching is added to git (?)
    Usually refs are either tags (refs/tags/*) or branches (refs/heads/*)
@@ -51,44 +60,67 @@ in
 */
 
 assert deepClone -> leaveDotGit;
+assert nonConeMode -> (sparseCheckout != []);
+
+let
+  revWithTag =
+    let
+      warningMsg = "fetchgit requires one of either `rev` or `tag` to be provided (not both).";
+      otherIsNull = other: lib.assertMsg (other == null) warningMsg;
+    in
+    if tag != null then
+      assert (otherIsNull rev);
+      "refs/tags/${tag}"
+    else if rev != null then
+      assert (otherIsNull tag);
+      rev
+    else
+      # FIXME fetching HEAD if no rev or tag is provided is problematic at best
+      "HEAD";
+in
 
-if md5 != "" then
-  throw "fetchgit does not support md5 anymore, please use sha256"
-else if hash != "" && sha256 != "" then
-  throw "Only one of sha256 or hash can be set"
+if builtins.isString sparseCheckout then
+  # Changed to throw on 2023-06-04
+  throw "Please provide directories/patterns for sparse checkout as a list of strings. Passing a (multi-line) string is not supported any more."
 else
 stdenvNoCC.mkDerivation {
-  inherit name;
+  name = if name != null then name else urlToName url revWithTag;
+
   builder = ./builder.sh;
-  fetcher = ./nix-prefetch-git;  # This must be a string to ensure it's called with bash.
+  fetcher = ./nix-prefetch-git;
 
-  nativeBuildInputs = [ git ]
+  nativeBuildInputs = [ git cacert ]
     ++ lib.optionals fetchLFS [ git-lfs ];
 
-  outputHashAlgo = if hash != "" then null else "sha256";
+  inherit outputHash outputHashAlgo;
   outputHashMode = "recursive";
-  outputHash = if hash != "" then
-    hash
-  else if sha256 != "" then
-    sha256
-  else
-    lib.fakeSha256;
 
-  inherit url rev leaveDotGit fetchLFS fetchSubmodules deepClone branchName postFetch;
+  # git-sparse-checkout(1) says:
+  # > When the --stdin option is provided, the directories or patterns are read
+  # > from standard in as a newline-delimited list instead of from the arguments.
+  sparseCheckout = builtins.concatStringsSep "\n" sparseCheckout;
+
+  inherit url leaveDotGit fetchLFS fetchSubmodules deepClone branchName nonConeMode postFetch;
+  rev = revWithTag;
 
   postHook = if netrcPhase == null then null else ''
     ${netrcPhase}
     # required that git uses the netrc file
     mv {,.}netrc
+    export NETRC=$PWD/.netrc
     export HOME=$PWD
   '';
 
-  GIT_SSL_CAINFO = "${cacert}/etc/ssl/certs/ca-bundle.crt";
-
   impureEnvVars = lib.fetchers.proxyImpureEnvVars ++ netrcImpureEnvVars ++ [
     "GIT_PROXY_COMMAND" "NIX_GIT_SSL_CAINFO" "SOCKS_SERVER"
-    "ROBOTNIX_GIT_MIRRORS"
   ];
 
-  inherit preferLocalBuild;
+
+  inherit preferLocalBuild meta allowedRequisites;
+
+  passthru = {
+    gitRepoUrl = url;
+    inherit tag;
+  };
 }
+))

pkgs/fetchgit/default.nix

@@ -17,9 +17,9 @@ branchName=$NIX_PREFETCH_GIT_BRANCH_NAME
 out=${out:-}
 http_proxy=${http_proxy:-}
 
-# allow overwriting cacert's ca-bundle.crt with a custom one
-# this can be done by setting NIX_GIT_SSL_CAINFO and NIX_SSL_CERT_FILE environment variables for the nix-daemon
-GIT_SSL_CAINFO=${NIX_GIT_SSL_CAINFO:-$GIT_SSL_CAINFO}
+# NOTE: use of NIX_GIT_SSL_CAINFO is for backwards compatibility; NIX_SSL_CERT_FILE is preferred
+# as of PR#303307
+GIT_SSL_CAINFO=${NIX_GIT_SSL_CAINFO:-$NIX_SSL_CERT_FILE}
 
 # populated by clone_user_rev()
 fullRev=
@@ -171,7 +171,7 @@ checkout_hash(){
     clean_git fetch -t ${builder:+--progress} origin || return 1
 
     local object_type=$(git cat-file -t "$hash")
-    if [[ "$object_type" == "commit" ]]; then
+    if [[ "$object_type" == "commit" || "$object_type" == "tag" ]]; then
         clean_git checkout -b "$branchName" "$hash" || return 1
     elif [[ "$object_type" == "tree" ]]; then
         clean_git config user.email "nix-prefetch-git@localhost"
@@ -417,6 +417,7 @@ remove_tmpPath() {
 }
 
 remove_tmpHomePath() {
+    chmod -R u+w "$tmpHomePath"
     rm -rf "$tmpHomePath"
 }
 
@@ -457,8 +458,9 @@ else
     # If we don't know the hash or a path with that hash doesn't exist,
     # download the file and add it to the store.
     if test -z "$finalPath"; then
-
-        tmpPath="$(mktemp -d "${TMPDIR:-/tmp}/git-checkout-tmp-XXXXXXXX")"
+        # nix>=2.20 rejects adding symlinked paths to the store, so use realpath
+        # to resolve to a physical path. https://github.com/NixOS/nix/issues/11941
+        tmpPath="$(realpath "$(mktemp -d --tmpdir git-checkout-tmp-XXXXXXXX)")"
         exit_handlers+=(remove_tmpPath)
 
         tmpFile="$tmpPath/$(url_to_name "$url" "$rev")"

pkgs/fetchgit/nix-prefetch-git

@@ -1,10 +1,15 @@
-{ lib, inputs, fetchFromGitHub, rsync, git, gnupg, less, openssh, ... }:
+{ lib, gitRepo, fetchFromGitHub, fetchpatch2, rsync, git, gnupg, less, openssh, ... }:
 let
-  inherit (inputs) nixpkgs-unstable;
-
-  unstablePkgs = nixpkgs-unstable.legacyPackages.x86_64-linux;
+  git-patched = git.overrideAttrs (old: {
+    patches = old.patches or [ ] ++ [
+      ./ignore_dubious_ownership.patch
+    ];
+    # Likely won't succeed with the patch and we don't care.
+    doCheck = false;
+    doInstallCheck = false;
+  });
 in
-  unstablePkgs.gitRepo.overrideAttrs(oldAttrs: rec {
+  gitRepo.overrideAttrs(oldAttrs: rec {
     version = "2.45";
 
     src = fetchFromGitHub {
@@ -14,7 +19,7 @@ in
       hash = "sha256-f765TcOHL8wdPa9qSmGegofjCXx1tF/K5bRQnYQcYVc=";
     };
 
-    nativeBuildInputs = (oldAttrs.nativeBuildInputs or []) ++ [ rsync  git ];
+    nativeBuildInputs = (oldAttrs.nativeBuildInputs or []) ++ [ rsync git-patched ];
 
     repo2nixPatches = ./patches;
 
@@ -65,6 +70,10 @@ in
       wrapProgram "$out/bin/repo" \
         --set REPO_URL "file://$out/var/repo" \
         --set REPO_REV "$(cat ./COMMITED_REPO_REV)" \
-        --prefix PATH ":" "${ lib.makeBinPath [ git gnupg less openssh ] }"
+        --prefix PATH ":" "${ lib.makeBinPath [ git-patched gnupg less openssh ] }"
     '';
+
+    passthru = {
+      inherit git-patched;
+    };
   })

pkgs/gitRepo/default.nix

@@ -0,0 +1,11 @@
+diff --git a/setup.c b/setup.c
+--- a/setup.c
++++ b/setup.c
+@@ -1332,6 +1332,7 @@
+ void die_upon_dubious_ownership(const char *gitfile, const char *worktree,
+ 				const char *gitdir)
+ {
++  return; // Stubbed
+ 	struct strbuf report = STRBUF_INIT, quoted = STRBUF_INIT;
+ 	const char *path;
+ 

pkgs/gitRepo/ignore_dubious_ownership.patch

@@ -34,7 +34,9 @@ self: super: {
   });
   nix-prefetch-git = super.callPackage ./fetchgit/nix-prefetch-git.nix {};
 
-  gitRepo = super.callPackage ./gitRepo { inherit inputs; };
+  gitRepo = super.callPackage ./gitRepo {
+    inherit (super) gitRepo;
+  };
 
   ###