!LemuOOvbWqRXodtSsw:nixos.org

NixOS Reproducible Builds

483 Members
Report: https://reproducible.nixos.org Project progress: https://github.com/orgs/NixOS/projects/30108 Servers

Load older messages

SenderMessageTime
9 Oct 2024
@chayleaf:matrix.pavluk.orgchayleaf

basically:

  • i haven't built any of the native dependencies myself, they are copied from the cache
  • the java dependencies from gradle are downloaded by url+hash pairs, so they can't really differ
12:44:20
@raboof:matrix.orgrabooftbh I don't see anything obvious in https://github.com/search?q=repo%3Afreeplane%2Ffreeplane%20globalBin&type=code that'd put that file there... maybe compare the builds logs between your local build and the one from the binary cache?12:55:56
@chayleaf:matrix.pavluk.orgchayleafthe tasks run in a different order, maybe parallel building is the issue?14:16:40
@chayleaf:matrix.pavluk.orgchayleaf if its consistently not generating that file for you, can you try setting enableParallelBuilding to false? 14:17:18
@raboof:matrix.orgraboofthen I indeed see it14:21:10
12 Oct 2024
@steeringwheelrules:tchncs.de@steeringwheelrules:tchncs.de joined the room.22:47:32
14 Oct 2024
@msanft:matrix.orgMoritz Sanft Hey, we think there's a substantial problem about Nix's store optimisations in conjunction with reproducible builds, and we'd like to hear some opinions on it.

Consider the following:

  1. 2 distinct Files in Nix store, same content (-> same NAR hash). But different permissions, except for executability (e.g. 600 and 644). NAR hash is still the same.

  2. nix store optimise looks for deduplication possibilities by matching on NAR hashes. Finds the 2 files and hardlinks one to the other.

  3. File is used in an archive, image, etc. (i.e. any file where the permissions influence its actual contents) - Now this file is inherently irreproducible.


I think that either Nix should not use NAR hashes for store optimisation, change NAR to reflect all permissions (which is unrealistic due to the impact of the change). But curious to hear what you think about this. We just tracked down a image reproducibility bug we fought with for a long time to this and it was very annoying to actually find this. 		08:16:40
@msanft:matrix.orgMoritz Sanft CC @Paul Meyer (katexochen) 08:16:50
@sandro:supersandro.deSandro 🐧Isn't this a common thing that such files need to resolve hard links?15:47:15
@sandro:supersandro.deSandro 🐧I think we had such problems before, not necessarily with permissions though15:47:34
@raboof:matrix.orgraboofshouldn't files in the store typically have 444/555 permissions anyway? or is that different for hardlinks?15:49:47
@katexochen:matrix.orgPaul Meyer (katexochen)They should, at least this looks like it: https://github.com/NixOS/nix/blob/d5c45952acffebce29873f14e5eeca3ac78cbe26/src/libstore/posix-fs-canonicalise.hh#L23 16:18:19
@katexochen:matrix.orgPaul Meyer (katexochen) Grepping nix store for writable files returns a ton of writable files, both on my local system as well as on my remote builder:
find /nix/store -type f -perm -u+w ! -perm -g+w ! -perm -o+w
Those have also modified time stamps. 🤔 		16:20:52
@katexochen:matrix.orgPaul Meyer (katexochen) * Grepping nix store for writable files returns a ton, both on my local system as well as on my remote builder:
find /nix/store -type f -perm -u+w ! -perm -g+w ! -perm -o+w
Those have also modified time stamps. 🤔 		16:21:07
@katexochen:matrix.orgPaul Meyer (katexochen) 
stat /nix/store/a3b4xpykc7x1gz7d5kvcw40qf0xlqg4n-python3.11-fabric-3.2.2/lib/python3.11/site-packages/fabric-3.2.2.dist-info/top_level.txt
  File: /nix/store/a3b4xpykc7x1gz7d5kvcw40qf0xlqg4n-python3.11-fabric-3.2.2/lib/python3.11/site-packages/fabric-3.2.2.dist-info/top_level.txt
  Size: 7         	Blocks: 8          IO Block: 4096   regular file
Device: 0,41	Inode: 189116731   Links: 1
Access: (0644/-rw-r--r--)  Uid: (872415232/ UNKNOWN)   Gid: (872415232/ UNKNOWN)
Access: 2024-10-14 12:11:20.405597533 +0000
Modify: 2024-10-14 12:11:20.405597533 +0000
Change: 2024-10-14 12:11:20.444598825 +0000
 Birth: 2024-10-14 12:11:20.405597533 +0000
16:23:18
@katexochen:matrix.orgPaul Meyer (katexochen)

I can reproduce this using nixpkgs-review + remote builder with a commit that doesn't build. For example, running nixpkgs-review rev HEAD on https://github.com/katexochen/nixpkgs/pull/new/repro/azure-cli/2-65 will lead to the following on the configured remote builder:

$ ls -la /nix/store/*azure-cli* | grep nixbld
drwxrwxr-t 1 root nixbld 6669116 Oct 14 18:01 ..
drwxrwxr-t 1 root nixbld 6669116 Oct 14 18:01 ..
drwxrwxr-t 1 root      nixbld    6669116 Oct 14 18:01 ..
drwxrwxr-t 1 root nixbld  6669116 Oct 14 18:01 ..
drwxrwxr-t 1 root nixbld 6669116 Oct 14 18:01 ..
18:12:51
@katexochen:matrix.orgPaul Meyer (katexochen) *

I can reproduce this using nixpkgs-review + remote builder with a commit that doesn't build. For example, running nixpkgs-review rev HEAD on https://github.com/katexochen/nixpkgs/tree/repro/azure-cli/2-65 will lead to the following on the configured remote builder:

$ ls -la /nix/store/*azure-cli* | grep nixbld
drwxrwxr-t 1 root nixbld 6669116 Oct 14 18:01 ..
drwxrwxr-t 1 root nixbld 6669116 Oct 14 18:01 ..
drwxrwxr-t 1 root      nixbld    6669116 Oct 14 18:01 ..
drwxrwxr-t 1 root nixbld  6669116 Oct 14 18:01 ..
drwxrwxr-t 1 root nixbld 6669116 Oct 14 18:01 ..
18:13:49
15 Oct 2024
@atemu12:matrix.orgatemu12
In reply to @msanft:matrix.org
Hey, we think there's a substantial problem about Nix's store optimisations in conjunction with reproducible builds, and we'd like to hear some opinions on it.

Consider the following:

  1. 2 distinct Files in Nix store, same content (-> same NAR hash). But different permissions, except for executability (e.g. 600 and 644). NAR hash is still the same.

  2. nix store optimise looks for deduplication possibilities by matching on NAR hashes. Finds the 2 files and hardlinks one to the other.

  3. File is used in an archive, image, etc. (i.e. any file where the permissions influence its actual contents) - Now this file is inherently irreproducible.


I think that either Nix should not use NAR hashes for store optimisation, change NAR to reflect all permissions (which is unrealistic due to the impact of the change). But curious to hear what you think about this. We just tracked down a image reproducibility bug we fought with for a long time to this and it was very annoying to actually find this.
I don't really see that as an r13y bug, as the actual bug is that a NAR-relevant modification of the store path is performed with a file that was -x before becoming +x (or vice versa? That'd be even worse.) 		04:14:54
@atemu12:matrix.orgatemu12 Paul Meyer (katexochen): I think that's an existing bug where some programs ran as root are somehow able to remount the Nix store read-write and other programs are then able to modify their store paths which some of them do. 04:16:15
@raboof:matrix.orgraboof
In reply to @katexochen:matrix.org

I can reproduce this using nixpkgs-review + remote builder with a commit that doesn't build. For example, running nixpkgs-review rev HEAD on https://github.com/katexochen/nixpkgs/tree/repro/azure-cli/2-65 will lead to the following on the configured remote builder:

$ ls -la /nix/store/*azure-cli* | grep nixbld
drwxrwxr-t 1 root nixbld 6669116 Oct 14 18:01 ..
drwxrwxr-t 1 root nixbld 6669116 Oct 14 18:01 ..
drwxrwxr-t 1 root      nixbld    6669116 Oct 14 18:01 ..
drwxrwxr-t 1 root nixbld  6669116 Oct 14 18:01 ..
drwxrwxr-t 1 root nixbld 6669116 Oct 14 18:01 ..
right, so those files can have write permissions when they've been written to the store but then the build fails before the files were 'canonicalised'. If the build fails before completing then the derivation should not have been added to the store db, and thus should not be used by any other derivation yet, though, right? so that doesn't seem like it explains the problem you and Moritz Sanft saw yet? 		07:02:19
@raboof:matrix.orgraboof
In reply to @katexochen:matrix.org
Grepping nix store for writable files returns a ton, both on my local system as well as on my remote builder:
find /nix/store -type f -perm -u+w ! -perm -g+w ! -perm -o+w
Those have also modified time stamps. 🤔
interestingly this returns no results on my NixOS installation (which doesn't use store optimization). Are those files hardlinked by store optimization? 		07:05:06
@emilazy:matrix.orgemilyoh, so even Linux users have optimization-based store corruption!07:05:14
@raboof:matrix.orgraboof
In reply to @katexochen:matrix.org

I can reproduce this using nixpkgs-review + remote builder with a commit that doesn't build. For example, running nixpkgs-review rev HEAD on https://github.com/katexochen/nixpkgs/tree/repro/azure-cli/2-65 will lead to the following on the configured remote builder:

$ ls -la /nix/store/*azure-cli* | grep nixbld
drwxrwxr-t 1 root nixbld 6669116 Oct 14 18:01 ..
drwxrwxr-t 1 root nixbld 6669116 Oct 14 18:01 ..
drwxrwxr-t 1 root      nixbld    6669116 Oct 14 18:01 ..
drwxrwxr-t 1 root nixbld  6669116 Oct 14 18:01 ..
drwxrwxr-t 1 root nixbld 6669116 Oct 14 18:01 ..
* right, so those files can have write permissions when they've been written to the store but then the build fails before the files were 'canonicalised'? If the build fails before completing then the derivation should not have been added to the store db, and thus should not be used by any other derivation yet, though, right? so that doesn't seem like it explains the problem you and Moritz Sanft saw yet? 		07:06:07
@katexochen:matrix.orgPaul Meyer (katexochen)
In reply to @raboof:matrix.org
interestingly this returns no results on my NixOS installation (which doesn't use store optimization). Are those files hardlinked by store optimization?

The one from above isn't:

$ find / -inum 189116731 2>/dev/null
/nix/store/a3b4xpykc7x1gz7d5kvcw40qf0xlqg4n-python3.11-fabric-3.2.2/lib/python3.11/site-packages/fabric-3.2.2.dist-info/top_level.txt
07:09:42
@katexochen:matrix.orgPaul Meyer (katexochen)No explanation how the writable file ended up in the image, no. I'd have to look deeper into the hardlink optimization. Maybe there is a race with creating the link under /nix/store/.links and the build failing? Then any file from a successful derivation could be hardlinked against a writable file.07:15:35
@atemu12:matrix.orgatemu12I get a ton of paths but it's all either .lock files or paths that I attempted to build once but cancelled07:15:52
@atemu12:matrix.orgatemu12You can tell by that the top-level path has an associated .lock file07:16:10
@atemu12:matrix.orgatemu12 Does /nix/store/a3b4xpykc7x1gz7d5kvcw40qf0xlqg4n-python3.11-fabric-3.2.2.lock exist? 07:16:24
@katexochen:matrix.orgPaul Meyer (katexochen)
In reply to @atemu12:matrix.org
Does /nix/store/a3b4xpykc7x1gz7d5kvcw40qf0xlqg4n-python3.11-fabric-3.2.2.lock exist?
Yes it does 		07:24:34
@atemu12:matrix.orgatemu12Well then that path is not actually alive07:25:01

Show newer messages

Back to Room ListRoom Version: 6