!LemuOOvbWqRXodtSsw:nixos.org

NixOS Reproducible Builds

494 Members
Report: https://reproducible.nixos.org Project progress: https://github.com/orgs/NixOS/projects/30106 Servers

Load older messages

SenderMessageTime
31 Oct 2025
@elvishjerricco:matrix.orgElvishJerricco a default nixos config, including the ISO, already depends on ShellCheck because of nixos-firewall-tool, FYI 22:58:59
@grimmauld:grapevine.grimmauld.deGrimmauld (any/all)not minimal tho22:59:46
@elvishjerricco:matrix.orgElvishJerriccoyes minimal?22:59:53
@elvishjerricco:matrix.orgElvishJerriccoI just checked22:59:58
@grimmauld:grapevine.grimmauld.deGrimmauld (any/all)HUH?23:00:11
@elvishjerricco:matrix.orgElvishJerriccolike shellcheck isn't in the runtime closure23:00:16
@elvishjerricco:matrix.orgElvishJerriccobut it's a build dep23:00:19
@elvishjerricco:matrix.orgElvishJerricco because of nixos-firewall-tool, which is included in the ISO by default 23:00:29
@elvishjerricco:matrix.orgElvishJerriccoand because of the switchChecks thing23:00:36
@grimmauld:grapevine.grimmauld.deGrimmauld (any/all) but nix why-depends --derivation --all should catch build deps 23:00:43
@elvishjerricco:matrix.orgElvishJerriccobut I feel like you all seemed like you were hoping to get rid of that one23:00:45
@grimmauld:grapevine.grimmauld.deGrimmauld (any/all)so why do i not have it23:00:52
@elvishjerricco:matrix.orgElvishJerriccothat's how I checked23:01:00
@elvishjerricco:matrix.orgElvishJerricco 
$ nix why-depends --all --derivation /nix/store/khbsc32pf6symcds7b0h6f5q5gcb9sw3-nixos-system-nixos-25.11pre-git /nix/store/njgb6m19ahgd8nky23v9rrms2m795a36-ShellCheck-0.11.0.drv
/nix/store/80sf1wyzqdx5skwx0xk45kx4g5m6grxm-nixos-system-nixos-25.11pre-git.drv
├───/nix/store/q644d4sgqfm7svxar9nv291nsgmxb583-pre-switch-checks.drv
│   └───/nix/store/njgb6m19ahgd8nky23v9rrms2m795a36-ShellCheck-0.11.0.drv
├───/nix/store/ixbr9d7cxl5g6sj93ksllafxg8mig4p8-system-path.drv
│   └───/nix/store/50da2pns6ds235ch37d67dzg9xg6yghq-nixos-firewall-tool.drv
│       └───/nix/store/njgb6m19ahgd8nky23v9rrms2m795a36-ShellCheck-0.11.0.drv
└───/nix/store/2wp8n0yprgpfs71frcznx8ghrsg660wg-etc.drv
    ├───/nix/store/ixbr9d7cxl5g6sj93ksllafxg8mig4p8-system-path.drv
    ├───/nix/store/483q7k25qd0nl4iq8fiwzx4ifn06jn2d-dbus-1.drv
    │   └───/nix/store/ixbr9d7cxl5g6sj93ksllafxg8mig4p8-system-path.drv
    ├───/nix/store/nvh1ra4bxflzfrxj8179s9dv9ii21kkv-system-units.drv
    │   ├───/nix/store/6rd11hxqp6ij4llwy25amqmq8yj0vlnv-unit-polkit.service.drv
    │   │   └───/nix/store/n8g98j67ghaybphdr408hd70qhkfcvy8-X-Restart-Triggers-polkit.drv
    │   │       └───/nix/store/ixbr9d7cxl5g6sj93ksllafxg8mig4p8-system-path.drv
    │   └───/nix/store/h5py00d9vcm8vrl6kwi094krrsq5d976-unit-dbus.service.drv
    │       └───/nix/store/3x9csa17m616bbs2gfai00wwbs7453d9-X-Restart-Triggers-dbus.drv
    │           └───/nix/store/483q7k25qd0nl4iq8fiwzx4ifn06jn2d-dbus-1.drv
    └───/nix/store/brnmqxs3583vbq5hygsfyz3irihrgwr6-user-units.drv
        └───/nix/store/g97scs6yiqpdkd0d7aisc0pm4pz7ryr5-unit-dbus.service.drv
            └───/nix/store/3x9csa17m616bbs2gfai00wwbs7453d9-X-Restart-Triggers-dbus.drv
23:01:53
@grimmauld:grapevine.grimmauld.deGrimmauld (any/all) AH, networking.firewall.enable = lib.mkDefault false; in bashless profile for that exact reason, and then later enable nftables and kernel modules manually 23:02:09
@grimmauld:grapevine.grimmauld.deGrimmauld (any/all)so yeah i guess the default minimalism profile does have it twice23:02:37
@emilazy:matrix.orgemilybashless should pretty much guarantee no ShellCheck by definition right?23:02:40
@grimmauld:grapevine.grimmauld.deGrimmauld (any/all)well yes, but i still want switching so i don't run full bashless :P23:03:05
@emilazy:matrix.orgemily making it a passthru.tests for nixos-firewall-tool sounds easy at least 23:03:14
@grimmauld:grapevine.grimmauld.deGrimmauld (any/all)but yeah i guess i am being silly here23:03:16
@grimmauld:grapevine.grimmauld.deGrimmauld (any/all) tbh nixos-firewall-tool should be disable-able by itself 23:03:49
@grimmauld:grapevine.grimmauld.deGrimmauld (any/all)without disabling the rest of the firewall module, i mean23:04:13
@grimmauld:grapevine.grimmauld.deGrimmauld (any/all) i mean i guess its just networking.firewall.trustedInterfaces = [ "lo" ]; and adding some stuff to system packages, but still 23:05:27
@elvishjerricco:matrix.orgElvishJerriccoso, are we wanting to get shellcheck out of the build closure for these two things?23:17:40
@emilazy:matrix.orgemily it seems very easy to do; we're just missing one conditional and one move to passthru.tests. though perhaps we should check if any of them pull in Pandoc first… 23:20:16
@raboof:matrix.orgraboofI think the reproducible builds report should not be the motivation for such a change, but it seems like reducing the build closure would be nice 'in general'23:23:12
@emilazy:matrix.orgemilyyeah, it's just nice to be able to avoid23:25:55
@emilazy:matrix.orgemilysooner you get done with the minimal ISO the sooner you can move on to the graphical one, anyway!23:26:03
@emilazy:matrix.orgemilyGHC is unlikely to leave the build closure of that one23:26:12
@pyrox:pyrox.devdish [Fox/It/She]
In reply to @raboof:matrix.org
I think the reproducible builds report should not be the motivation for such a change, but it seems like reducing the build closure would be nice 'in general'
it's not the primary motivation, but reducing the size of these closures is good for UX 		23:34:06

Show newer messages

Back to Room ListRoom Version: 6