[Nix#9133] Fetching flake input with git+ssh requires the ssh executable

lix-bot commented

2024-03-16 06:44:57 +00:00

Member

Upstream-Issue: NixOS/nix#9133

Describe the bug

Specifying a flake input using git+ssh seems to require the ssh executable which doesn't appear to be a dependency.

Steps To Reproduce

flake.nix:

  inputs = {
    nixpkgs.url = "github:NixOS/nixpkgs";
    ara-deployment = {
      url = "git+ssh://git@some-server/android-deployment";
      flake = false;
    };
  };

  # ...

My CI docker container does not have ssh installed but the host does and we're building using the host's daemon. $NIX_REMOTE_OPTS = "--eval-store auto --store $OUR_NIX_STORE"

$ nix --version
nix (Nix) 2.17.0
$ nix store ping --store $OUR_NIX_STORE
Store URL: unix:///mnt/nix/var/nix/daemon-socket/socket
Version: 2.18.0pre20230901_4a8c9bb
Trusted: 1
$ nix run $NIX_REMOTE_OPTS .#build-ci
warning: the group 'nixbld' specified in 'build-users-group' does not exist
copying path '/nix/store/cz973qsjldbw4x7fx0rwcvhr9k645vz2-source' from 'https://cache.nixos.org'/...
error: cannot run ssh: No such file or directory
fatal: unable to fork
error:
       … while calling the 'derivationStrict' builtin
         at /builtin/derivation.nix:9:12: (source not available)
       … while evaluating derivation 'build-script-for-ci'
         whose name attribute is located at /nix/store/958b2h0b94rq3p1yhljzahgz8cxzjflv-source/pkgs/stdenv/generic/make-derivation.nix:300:7
       … while evaluating attribute 'text' of derivation 'build-script-for-ci'
         at /nix/store/958b2h0b94rq3p1yhljzahgz8cxzjflv-source/pkgs/build-support/trivial-builders/default.nix:148:16:
          147|     runCommand name
          148|       { inherit text executable checkPhase allowSubstitutes preferLocalBuild;
             |                ^
          149|         passAsFile = [ "text" ];
       error: program 'git' failed with exit code 128

Expected behavior

I would expect git and ssh to be dependencies of nix.

nix-env --version output

Additional context

Add any other context about the problem here.

Priorities

Add 👍 to issues you find important.

Upstream-Issue: https://git.lix.systems/NixOS/nix/issues/9133 **Describe the bug** Specifying a flake input using `git+ssh` seems to require the ssh executable which doesn't appear to be a dependency. **Steps To Reproduce** flake.nix: ```nix inputs = { nixpkgs.url = "github:NixOS/nixpkgs"; ara-deployment = { url = "git+ssh://git@some-server/android-deployment"; flake = false; }; }; # ... ``` My CI docker container does not have `ssh` installed but the host does and we're building using the host's daemon. `$NIX_REMOTE_OPTS = "--eval-store auto --store $OUR_NIX_STORE"` ``` $ nix --version nix (Nix) 2.17.0 $ nix store ping --store $OUR_NIX_STORE Store URL: unix:///mnt/nix/var/nix/daemon-socket/socket Version: 2.18.0pre20230901_4a8c9bb Trusted: 1 $ nix run $NIX_REMOTE_OPTS .#build-ci warning: the group 'nixbld' specified in 'build-users-group' does not exist copying path '/nix/store/cz973qsjldbw4x7fx0rwcvhr9k645vz2-source' from 'https://cache.nixos.org'/... error: cannot run ssh: No such file or directory fatal: unable to fork error: … while calling the 'derivationStrict' builtin at /builtin/derivation.nix:9:12: (source not available) … while evaluating derivation 'build-script-for-ci' whose name attribute is located at /nix/store/958b2h0b94rq3p1yhljzahgz8cxzjflv-source/pkgs/stdenv/generic/make-derivation.nix:300:7 … while evaluating attribute 'text' of derivation 'build-script-for-ci' at /nix/store/958b2h0b94rq3p1yhljzahgz8cxzjflv-source/pkgs/build-support/trivial-builders/default.nix:148:16: 147| runCommand name 148| { inherit text executable checkPhase allowSubstitutes preferLocalBuild; | ^ 149| passAsFile = [ "text" ]; error: program 'git' failed with exit code 128 ``` **Expected behavior** I would expect git and ssh to be dependencies of `nix`. **`nix-env --version` output** **Additional context** Add any other context about the problem here. **Priorities** Add :+1: to [issues you find important](https://github.com/NixOS/nix/issues?q=is%3Aissue+is%3Aopen+sort%3Areactions-%2B1-desc).

lix-bot added the

bug

imported

labels 2024-03-16 06:44:57 +00:00

jade added the

Area/flakes

label 2024-03-30 00:04:22 +00:00

jade commented

2024-05-10 18:08:56 +00:00

Owner

there's two possible solutions: we put a hard dependency on git and ssh into lix (which is silly for stores that don't build things) or equivalently libgit2 or wontfix this. I'm going to wontfix it.

there's two possible solutions: we put a hard dependency on git and ssh into lix (which is silly for stores that don't build things) or equivalently libgit2 *or* wontfix this. I'm going to wontfix it.

jade closed this issue

2024-05-10 18:08:57 +00:00

jade added the

Status

wontfix

label 2024-05-10 18:09:06 +00:00

qyriad commented

2024-05-10 18:21:29 +00:00

Owner

I actually would be fine with pulling Git and SSH into Lix's closure, so long as it's also buildable without too

jade commented

2024-05-10 19:46:50 +00:00

Owner

I think they should be injected via a wrapper in a second derivation if we do that, as it gets us maximal build reuse.

Really the way it should work is that the nix you get as a user is the wrapper and the nix you get as a package is always unwrapped. But tbh I'm not really convinced we should do this: if a system doesn't have ssh on it, it's probably a tiny system that cares deeply about closure size already, which would be worsened by making this change. .

I think they should be injected via a wrapper in a second derivation if we do that, as it gets us maximal build reuse. Really the way it should work is that the nix you get as a user is the wrapper and the nix you get as a package is always unwrapped. But tbh I'm not really convinced we should do this: if a system doesn't have ssh on it, it's probably a tiny system that cares deeply about closure size already, which would be worsened by making this change. .

lunaphied commented

2024-05-10 20:48:43 +00:00

Owner

I'm inclined to agree with @qyriad, making it a build option would make it easy to strip out for small systems like that; otherwise those are essential to normal usage of Lix

jade reopened this issue

2024-05-10 21:13:08 +00:00

jade removed the

Status

wontfix

label 2024-05-10 21:13:25 +00:00

jade commented

2024-05-10 21:18:23 +00:00

Owner

fair enough, i think we should do it with a wrapper regardless, because having them as build-deps is fine, and it would be least broken to . the way it should probably work is that the installer and nixos gives you lixFull, and lix is the unwrapped one that is used in build dependencies, because they practically universally don't need to have git work or if they do, they would have it as a build input for their integration tests.

alternatively maybe it should be a client setting git-fallback-path or something, which is then a store path, and is used when you don't have git in PATH. but this would make our install process Very Bad if it were actually in a config file in /etc. we would want to have injectable configs within packaging somehow to do that.

fair enough, i think we should do it with a wrapper *regardless*, because having them as build-deps is fine, and it would be least broken to . the way it should probably work is that the installer and nixos gives you `lixFull`, and `lix` is the unwrapped one that is used in build dependencies, because they *practically universally* don't need to have git work or if they do, they would have it as a build input for their integration tests. alternatively maybe it should be a client setting `git-fallback-path` or something, which is then a store path, and is used when you don't have git in PATH. but this would make our install process Very Bad if it were actually in a config file in /etc. we would want to have injectable configs within packaging somehow to do that.

[Nix#9133] Fetching flake input with git+ssh requires the ssh executable #109