By default, Perl versions since 5.8.1 use randomization to make hashes
resistant to complexity attacks.
That randomization makes building VM images such as ubuntu1804x86_64
non-deterministic because the (imported) derivations built by
deb/deb-closure.pl are not stable.
This can easily be observed by repeating the following sequence of
commands and noting the path of the image's .drv:
nix-instantiate -E '(import <nixpkgs> {}).vmTools.diskImageFuns.ubuntu1804x86_64 {}'
nix-store --delete /nix/store/*ubuntu-18.04-bionic-amd64.nix
One source of non-determinism is the handling of Provides/Replaces,
which depends on the order of iteration over %packages. Here is a
diff showing the corresponding change in output:
>>> awk
-virtual awk: using original-awk
- original-awk: libc6 (>= 2.14)
+virtual awk: using mawk
+ mawk: libc6 (>= 2.14)
- mawk: libc6 (>= 2.14)
->>> libc6
This patch sorts packages by name for Provides/Replaces processing,
which seems to result in stable output.
(If the above turns out not to be sufficient, one could also set the
PERL_HASH_SEED and PERL_PERTURB_KEYS environment variables, documented
in 'perlrun', to disable Perl's built-in randomization. Complexity
attacks are not an issue as we control and trust all inputs.)
* In addition to the `diskImages' set, there now is a `diskImageFuns'
set that holds functions to build a disk image for a specific
distribution, given a list of names of top-level packages that
should be included in the image. This makes it easier to customise
an image (e.g. if you want to build an RPM in an image with some
very specific dependencies that aren't in the default image).
* Added Fedora 6.
svn path=/nixpkgs/trunk/; revision=11513
expression for a Debian closure automatically (so that we don't have
to remember to regenerate those files ourselves). The `import
<derivation>' feature generally shouldn't be used in Nixpkgs, but
since it's only used in the buildfarm it should be fine.
svn path=/nixpkgs/trunk/; revision=11512
