Add a flag ‘--check’ to verify build determinism
The flag ‘--check’ to ‘nix-store -r’ or ‘nix-build’ will cause Nix to redo the build of a derivation whose output paths are already valid. If the new output differs from the original output, an error is printed. This makes it easier to test if a build is deterministic. (Obviously this cannot catch all sources of non-determinism, but it catches the most common one, namely the current time.) For example: $ nix-build '<nixpkgs>' -A patchelf ... $ nix-build '<nixpkgs>' -A patchelf --check error: derivation `/nix/store/1ipvxsdnbhl1rw6siz6x92s7sc8nwkkb-patchelf-0.6' may not be deterministic: hash mismatch in output `/nix/store/4pc1dmw5xkwmc6q3gdc9i5nbjl4dkjpp-patchelf-0.6.drv' The --check build fails if not all outputs are valid. Thus the first call to nix-build is necessary to ensure that all outputs are valid. The current outputs are left untouched: the new outputs are either put in a chroot or diverted to a different location in the store using hash rewriting.
Showing
- scripts/nix-build.in 4 additions, 0 deletionsscripts/nix-build.in
- src/libstore/build.cc 78 additions, 44 deletionssrc/libstore/build.cc
- src/libstore/local-store.hh 1 addition, 1 deletionsrc/libstore/local-store.hh
- src/libstore/remote-store.cc 2 additions, 2 deletionssrc/libstore/remote-store.cc
- src/libstore/remote-store.hh 1 addition, 1 deletionsrc/libstore/remote-store.hh
- src/libstore/store-api.hh 4 additions, 1 deletionsrc/libstore/store-api.hh
- src/nix-env/nix-env.cc 1 addition, 1 deletionsrc/nix-env/nix-env.cc
- src/nix-env/user-env.cc 2 additions, 2 deletionssrc/nix-env/user-env.cc
- src/nix-store/nix-store.cc 4 additions, 3 deletionssrc/nix-store/nix-store.cc
Loading
Please register or sign in to comment