Commit Graph

7 Commits

Author SHA1 Message Date
Damien Diederen
3363377530 vmTools.debClosureGenerator: Fix non-determinism in dependency graph
By default, Perl versions since 5.8.1 use randomization to make hashes
resistant to complexity attacks.

That randomization makes building VM images such as ubuntu1804x86_64
non-deterministic because the (imported) derivations built by
deb/deb-closure.pl are not stable.

This can easily be observed by repeating the following sequence of
commands and noting the path of the image's .drv:

    nix-instantiate -E '(import <nixpkgs> {}).vmTools.diskImageFuns.ubuntu1804x86_64 {}'
    nix-store --delete /nix/store/*ubuntu-18.04-bionic-amd64.nix

One source of non-determinism is the handling of Provides/Replaces,
which depends on the order of iteration over %packages.  Here is a
diff showing the corresponding change in output:

     >>> awk
    -virtual awk: using original-awk
    -    original-awk: libc6 (>= 2.14)
    +virtual awk: using mawk
    +    mawk: libc6 (>= 2.14)

    -    mawk: libc6 (>= 2.14)
    ->>> libc6

This patch sorts packages by name for Provides/Replaces processing,
which seems to result in stable output.

(If the above turns out not to be sufficient, one could also set the
PERL_HASH_SEED and PERL_PERTURB_KEYS environment variables, documented
in 'perlrun', to disable Perl's built-in randomization.  Complexity
attacks are not an issue as we control and trust all inputs.)
2020-12-30 11:37:37 +01:00
Eelco Dolstra
e7480d9cb7 Add Debian 7.0 2013-05-07 11:19:46 +02:00
Eelco Dolstra
b29d424115 Get deb-closure.pl to work with the latest dpkg 2012-12-04 19:56:31 +01:00
Eelco Dolstra
20de8c8086 Make the "universe" repository available to the Ubuntu image generator
Also fix Ubuntu 12.04 name from "oneiric" to "precise".
2012-08-27 13:53:07 -04:00
Eelco Dolstra
bacc6ab790 Remove trailing whitespace 2012-08-27 13:53:07 -04:00
Eelco Dolstra
a3d259adf0 * Remove `~' from Debian package filenames (they're not allowed in the
Nix store at top-level for portability reasons).  (NIX-106)

svn path=/nixpkgs/trunk/; revision=12133
2008-06-17 07:53:09 +00:00
Eelco Dolstra
bf5db34927 * Move to Nixpkgs: support for building in VMs is more generally
useful, probably.

svn path=/nixpkgs/trunk/; revision=11126
2008-03-14 13:51:01 +00:00