57 lines
1.4 KiB
Markdown
57 lines
1.4 KiB
Markdown
|
# Fetchers and Fixed-Output Derivations
|
||
|
|
|
||
|
|
This note covers `22-fetchers-and-fixed-output/`, which uses `fetchurl` to pin an upstream tarball by content hash.
|
||
|
|
|
||
|
|
---
|
||
|
|
|
||
|
|
## 1. Why Fetchers Need a Hash
|
||
|
|
|
||
|
|
When Nix fetches content from outside the store, it needs a declared hash so the result stays reproducible.
|
||
|
|
|
||
|
|
That turns the fetch into a fixed-output derivation: the output is defined by the content hash, not just by the build steps.
|
||
|
|
|
||
|
|
---
|
||
|
|
|
||
|
|
## 2. What This Example Pins
|
||
|
|
|
||
|
|
The example fetches:
|
||
|
|
|
||
|
|
- the GNU hello source archive,
|
||
|
|
- from a concrete upstream URL, and
|
||
|
|
- with a declared SHA-256 hash.
|
||
|
|
|
||
|
|
If the upstream content changes, the hash check fails instead of silently accepting different bytes.
|
||
|
|
|
||
|
|
---
|
||
|
|
|
||
|
|
## 3. Why the Example Builds a Second Package
|
||
|
|
|
||
|
|
The fetched file by itself is not very interesting. The point is that later derivations can consume it as a normal store path.
|
||
|
|
|
||
|
|
This example adds a small package that reads the tarball and prints its top-level entry. That keeps the fetcher visible while still showing how fetched inputs flow into downstream builds.
|
||
|
|
|
||
|
|
---
|
||
|
|
|
||
|
|
## 4. What the Check Verifies
|
||
|
|
|
||
|
|
The check:
|
||
|
|
|
||
|
|
- computes the tarball SHA-256 with `sha256sum`, and
|
||
|
|
- asserts that the archive contains `hello-2.12.3/README`.
|
||
|
|
|
||
|
|
That proves both the pinned bytes and the expected archive layout.
|
||
|
|
|
||
|
|
---
|
||
|
|
|
||
|
|
## 5. Commands to Try
|
||
|
|
|
||
|
|
```bash
|
||
|
|
cd 22-fetchers-and-fixed-output
|
||
|
|
|
||
|
|
nix build
|
||
|
|
./result/bin/show-fetched-hello-source
|
||
|
|
|
||
|
|
nix run
|
||
|
|
nix flake check
|
||
|
|
```
|