using-nix/0-prebuilt: add (and revamp all restricted seeding)

ZilchOS · Jan 17, 2022 · bde4a57 · bde4a57
1 parent f5e86f2
commit bde4a57
Show file tree

Hide file tree

Showing 17 changed files with 200 additions and 135 deletions.
diff --git a/default.nix b/default.nix
@@ -49,68 +49,81 @@ let
       ) ];
     } // extra;
 
+  fetchurl = { url, sha256 }: derivation {
+    name = builtins.baseNameOf url;
+    inherit url;
+    urls = [ url ];
+    unpack = false;
+
+    builder = "builtin:fetchurl";
+    system = "builtin";
+    outputHashMode = "flat"; outputHashAlgo = "sha256";
+    preferLocalBuild = true;
+    outputHash = sha256;
+  };
+
   static-gnumake = (import using-nix/2a0-static-gnumake.nix) {
-    inherit mkDerivationStage2 stage1;
+    inherit fetchurl mkDerivationStage2 stage1;
   };
 
   static-binutils = (import using-nix/2a1-static-binutils.nix) {
-    inherit mkDerivationStage2 stage1 static-gnumake;
+    inherit fetchurl mkDerivationStage2 stage1 static-gnumake;
   };
 
   static-gnugcc4-c = (import using-nix/2a2-static-gnugcc4-c.nix) {
-    inherit mkDerivationStage2 stage1 static-gnumake static-binutils;
+    inherit fetchurl mkDerivationStage2 stage1 static-gnumake static-binutils;
   };
 
   intermediate-musl = (import using-nix/2a3-intermediate-musl.nix) {
-    inherit mkDerivationStage2;
+    inherit fetchurl mkDerivationStage2;
     inherit stage1 static-gnumake static-binutils static-gnugcc4-c;
   };
 
   gnugcc4-cpp = (import using-nix/2a4-gnugcc4-cpp.nix) {
-    inherit mkDerivationStage2;
+    inherit fetchurl mkDerivationStage2;
     inherit stage1 static-gnumake static-binutils static-gnugcc4-c;
     inherit intermediate-musl;
   };
 
   gnugcc10 = (import using-nix/2a5-gnugcc10.nix) {
-    inherit mkDerivationStage2;
+    inherit fetchurl mkDerivationStage2;
     inherit stage1 static-gnumake static-binutils gnugcc4-cpp intermediate-musl;
   };
 
   linux-headers = (import using-nix/2a6-linux-headers.nix) {
-    inherit mkDerivationStage2;
+    inherit fetchurl mkDerivationStage2;
     inherit stage1 static-gnumake static-binutils gnugcc10;
   };
 
   cmake = (import using-nix/2a7-cmake.nix) {
-    inherit mkDerivationStage2;
+    inherit fetchurl mkDerivationStage2;
     inherit stage1 static-gnumake static-binutils gnugcc10 linux-headers;
   };
 
   python = (import using-nix/2a8-python.nix) {
-    inherit mkDerivationStage2;
+    inherit fetchurl mkDerivationStage2;
     inherit stage1 static-gnumake static-binutils gnugcc10;
   };
 
   intermediate-clang = (import using-nix/2a9-intermediate-clang.nix) {
-    inherit mkDerivationStage2;
+    inherit fetchurl mkDerivationStage2;
     inherit stage1 static-gnumake static-binutils intermediate-musl gnugcc10;
     inherit linux-headers cmake python;
   };
 
   musl = (import using-nix/2b0-musl.nix) {
-    inherit mkDerivationStage2;
+    inherit fetchurl mkDerivationStage2;
     inherit stage1 static-gnumake intermediate-clang;
   };
 
   clang = (import using-nix/2b1-clang.nix) {
-    inherit mkDerivationStage2;
+    inherit fetchurl mkDerivationStage2;
     inherit stage1 static-gnumake musl intermediate-clang;
     inherit linux-headers cmake python;
   };
 
   busybox = (import using-nix/2b2-busybox.nix) {
-    inherit mkDerivationStage2;
+    inherit fetchurl mkDerivationStage2;
     inherit stage1 static-gnumake musl clang linux-headers;
   };
 

diff --git a/using-nix/0-from-nixpkgs.nix b/using-nix/0-from-nixpkgs.nix
@@ -0,0 +1,85 @@
+# This is to support building protosrc/tinycc from nixpkgs, see comment in 0.nix
+
+let
+  nixpkgs = import (builtins.fetchTarball {
+    name = "pinned-nixpkgs";
+    url = "https://github.com/nixos/nixpkgs/archive/a898a9d1f0503d3b2c66a5bbf8ac459003d3c843.tar.gz";
+    sha256 = "sha256:0m70w5rw5adz3riwh4m4x0vh5z8w0w8nlr1ajwi43ridma30vs8f";
+  }) { system = "x86_64-linux"; };
+
+  tinycc-unliberated = nixpkgs.pkgsStatic.tinycc.overrideAttrs(oa: {
+    version = "unstable-2021-10-30";
+    src = nixpkgs.fetchFromRepoOrCz {
+      repo = "tinycc";
+      rev = "da11cf651576f94486dbd043dbfcde469e497574";
+      sha256 = "sha256-LWdM/1fjx88eCj+Bz4YN9zLEWhSjlX4ULZiPx82nocA=";
+    };
+    configureFlags = nixpkgs.lib.remove "--enable-cross" oa.configureFlags;
+  });
+
+  tinycc-liberated = derivation {
+    name = "tinycc-liberated";
+    builder = "/bin/sh";
+    args = [ "-uexc" ''
+      ${nixpkgs.pkgs.gnused}/bin/sed \
+        's|/nix/store/.\{32\}-|!nix!store/................................-|g' \
+        < ${tinycc-unliberated}/bin/tcc \
+        > $out
+      ! ${nixpkgs.pkgs.gnugrep}/bin/grep -i /nix/store $out
+      ${nixpkgs.pkgs.coreutils}/bin/chmod +x $out
+    ''];
+    allowedReferences = [ ];
+    allowedRequisites = [ ];
+    system = "x86_64-linux";
+    __contentAddressed = true;
+    outputHashAlgo = "sha256"; outputHashMode = "recursive";
+    outputHash = "sha256-ADunchN4nGrE7OJ9OxkuzwsIDOW8I9/GukeiQMwhNIs=";
+  };
+
+  source-tarball-musl = builtins.fetchurl {
+    url = "http://musl.libc.org/releases/musl-1.2.2.tar.gz";
+    sha256 = "9b969322012d796dc23dda27a35866034fa67d8fb67e0e2c45c913c3d43219dd";
+  };
+
+  source-tarball-busybox = builtins.fetchurl {
+    url = "https://busybox.net/downloads/busybox-1.34.1.tar.bz2";
+    sha256 = "415fbd89e5344c96acf449d94a6f956dbed62e18e835fc83e064db33a34bd549";
+  };
+
+  source-tarball-tinycc = builtins.fetchurl {
+    url = "https://github.com/TinyCC/tinycc/archive/da11cf651576f94486dbd043dbfcde469e497574.tar.gz";
+    sha256 = "c6b244e58677c4c486dbf80e35ee01b192e133876942afa07454159ba118b44e";
+  };
+
+  protosrc = derivation {
+    name = "protosrc";
+    builder = "/bin/sh";
+    args = [ "-uexc" ''
+      PATH=${nixpkgs.coreutils}/bin
+      PATH=$PATH:${nixpkgs.gnused}/bin
+      PATH=$PATH:${nixpkgs.gnutar}/bin
+      PATH=$PATH:${nixpkgs.gzip}/bin
+      PATH=$PATH:${nixpkgs.bzip2}/bin
+      export PATH
+      mkdir downloads/
+      cp ${source-tarball-musl} downloads/musl-1.2.2.tar.gz
+      cp ${source-tarball-busybox} downloads/busybox-1.34.1.tar.bz2
+      cp ${source-tarball-tinycc} downloads/tinycc-mob-gitda11cf6.tar.gz
+      mkdir -p recipes
+      cp -r ${../recipes/1-stage1} recipes/1-stage1
+      DESTDIR=$out ${nixpkgs.bash}/bin/bash \
+        ${../recipes/1-stage1/seed.host-executed.sh}
+      mv $out/protosrc/* $out/; rm -d $out/protosrc
+    ''];
+    allowedReferences = [ ];
+    allowedRequisites = [ ];
+    system = "x86_64-linux";
+    __contentAddressed = true;
+    outputHashAlgo = "sha256"; outputHashMode = "recursive";
+    outputHash = "sha256-VPbQvwJOmtld+kTBXdzwrR346L6qT7KhhpUsKu6/IfM=";
+  };
+in
+  {
+    tinycc = tinycc-liberated;
+    inherit protosrc;
+  }
diff --git a/using-nix/0-prebuilt.nix b/using-nix/0-prebuilt.nix
@@ -0,0 +1,30 @@
+# This is to prefetch protosrc/tinycc from github, see comment in 0.nix
+
+let
+  fetchTarball = { name, url, sha256 }: derivation {
+    inherit name url;
+    urls = [ url ];
+    unpack = true;
+
+    builder = "builtin:fetchurl";
+    system = "builtin";
+    outputHashMode = "recursive"; outputHashAlgo = "sha256";
+    preferLocalBuild = true;
+    outputHash = sha256;
+  };
+in
+  {
+    protosrc = fetchTarball {
+      name = "protosrc";
+      url = "http:///127.0.0.1:8000/protosrc.tar.gz";
+      #url = "https://github.com/ZilchOS/bootstrap-from-tcc/.../protosrc.tar.gz";
+      sha256 = "sha256-VPbQvwJOmtld+kTBXdzwrR346L6qT7KhhpUsKu6/IfM=";
+    };
+
+    tinycc = fetchTarball {
+      name = "tinycc-liberated";
+      url = "http:///127.0.0.1:8000/tinycc-liberated.nar";
+      #url = "https://github.com/ZilchOS/bootstrap-from-tcc/.../tinycc-liberated.tar.gz";
+      sha256 = "sha256-ADunchN4nGrE7OJ9OxkuzwsIDOW8I9/GukeiQMwhNIs=";
+    };
+  }
diff --git a/using-nix/0.nix b/using-nix/0.nix
@@ -1,99 +1,35 @@
+# Where do tcc-seed and protosrc come from if you build with Nix?
+
 # When building with `make` or `build.sh` you'll have tcc-seed and protosrc
 # long long before you have Nix,
 # so there's no question of where to take them from, you just inject'em.
 # In this case this file isn't used at all and a simpler 0.nix is generated,
 # see recipes/4-rebootstrap-using-nix.sh
 
+# But not everyone wants to go the full bootstrap route.
 # This file is for when you already have Nix and want to jump into the middle,
 # starting from the second, `using-nix` half of the bootstrap.
 # Cases like hydra or flake-building.
 
-# You ought to start from some tcc
-# and do the initial source patching with something.
-
-# Hope in the future there'll be neater ways to do that,
-# or at least a tarball published somewhere,
-# but currently it just builds both using nixpkgs
-# and ensures they have no dependencies:
-
-let
-  nixpkgs = import (builtins.fetchTarball {
-    name = "pinned-nixpkgs";
-    url = "https://github.com/nixos/nixpkgs/archive/a898a9d1f0503d3b2c66a5bbf8ac459003d3c843.tar.gz";
-    sha256 = "sha256:0m70w5rw5adz3riwh4m4x0vh5z8w0w8nlr1ajwi43ridma30vs8f";
-  }) { system = "x86_64-linux"; };
-
-  tinycc-unliberated = nixpkgs.pkgsStatic.tinycc.overrideAttrs(oa: {
-    version = "unstable-2021-10-30";
-    src = nixpkgs.fetchFromRepoOrCz {
-      repo = "tinycc";
-      rev = "da11cf651576f94486dbd043dbfcde469e497574";
-      sha256 = "sha256-LWdM/1fjx88eCj+Bz4YN9zLEWhSjlX4ULZiPx82nocA=";
-    };
-    configureFlags = nixpkgs.lib.remove "--enable-cross" oa.configureFlags;
-  });
-
-  tinycc-liberated = derivation {
-    name = "tinycc-liberated";
-    builder = "/bin/sh";
-    args = [ "-uexc" ''
-      ${nixpkgs.pkgs.gnused}/bin/sed \
-        's|/nix/store/.\{32\}-|!nix!store/................................-|g' \
-        < ${tinycc-unliberated}/bin/tcc \
-        > $out
-      ! ${nixpkgs.pkgs.gnugrep}/bin/grep -i /nix/store $out
-      ${nixpkgs.pkgs.coreutils}/bin/chmod +x $out
-    ''];
-    allowedReferences = [ ];
-    allowedRequisites = [ ];
-    system = "x86_64-linux";
-    __contentAddressed = true;
-    outputHashAlgo = "sha256"; outputHashMode = "recursive";
-  };
+# One option is to build them using nixpkgs (see 0-from-nixpkgs.nix),
+# but then you need nixpkgs, IFD and stuff.
 
-  source-tarball-musl = builtins.fetchurl {
-    url = "http://musl.libc.org/releases/musl-1.2.2.tar.gz";
-    sha256 = "9b969322012d796dc23dda27a35866034fa67d8fb67e0e2c45c913c3d43219dd";
-  };
+# Alternatively we could download them prebuilt from github:ZilchOS,
+# but then there's the question of falling back to another method
+# when recipes/1-stage1/seed.host-executed.sh or recipes/1-stage1/syscall.h
+# are updated.
 
-  source-tarball-busybox = builtins.fetchurl {
-    url = "https://busybox.net/downloads/busybox-1.34.1.tar.bz2";
-    sha256 = "415fbd89e5344c96acf449d94a6f956dbed62e18e835fc83e064db33a34bd549";
-  };
+# Here's one weird combined approach:
 
-  source-tarball-tinycc = builtins.fetchurl {
-    url = "https://github.com/TinyCC/tinycc/archive/da11cf651576f94486dbd043dbfcde469e497574.tar.gz";
-    sha256 = "c6b244e58677c4c486dbf80e35ee01b192e133876942afa07454159ba118b44e";
-  };
-
-  protosrc = derivation {
-    name = "protosrc";
-    builder = "/bin/sh";
-    args = [ "-uexc" ''
-      PATH=${nixpkgs.coreutils}/bin
-      PATH=$PATH:${nixpkgs.gnused}/bin
-      PATH=$PATH:${nixpkgs.gnutar}/bin
-      PATH=$PATH:${nixpkgs.gzip}/bin
-      PATH=$PATH:${nixpkgs.bzip2}/bin
-      export PATH
-      mkdir downloads/
-      cp ${source-tarball-musl} downloads/musl-1.2.2.tar.gz
-      cp ${source-tarball-busybox} downloads/busybox-1.34.1.tar.bz2
-      cp ${source-tarball-tinycc} downloads/tinycc-mob-gitda11cf6.tar.gz
-      mkdir -p recipes
-      cp -r ${../recipes/1-stage1} recipes/1-stage1
-      DESTDIR=$out ${nixpkgs.bash}/bin/bash \
-        ${../recipes/1-stage1/seed.host-executed.sh}
-      mv $out/protosrc/* $out/; rm -d $out/protosrc
-    ''];
-    allowedReferences = [ ];
-    allowedRequisites = [ ];
-    system = "x86_64-linux";
-    __contentAddressed = true;
-    outputHashAlgo = "sha256"; outputHashMode = "recursive";
-  };
+let
+  and = builtins.all (x: x);
+  syscall_h_ours = ../recipes/1-stage1/syscall.h;
+  syscall_h_reference = "/nix/store/gh596yjx16c7p4l7djwl34aljsn0a21w-syscall.h";
+  syscall_h_is_unmodified = (syscall_h_ours == syscall_h_reference);
+  stage1_seeder_ours = ../recipes/1-stage1/seed.host-executed.sh;
+  stage1_seeder_reference = "/nix/store/8y505dqkkn80mvpg3pxz2gqmfardbg8h-seed.host-executed.sh";
+  stage1_seeder_is_unmodified = (stage1_seeder_ours == stage1_seeder_reference);
 in
-  {
-    tinycc = tinycc-liberated;
-    inherit protosrc;
-  }
+  if (and [ syscall_h_is_unmodified stage1_seeder_is_unmodified ])
+  then import ./0-from-nixpkgs.nix
+  else import ./0-prebuilt.nix
diff --git a/using-nix/2a0-static-gnumake.nix b/using-nix/2a0-static-gnumake.nix
@@ -1,7 +1,7 @@
-{ mkDerivationStage2, stage1 }:
+{ fetchurl, mkDerivationStage2, stage1 }:
 
 let
-  source-tarball-gnumake = builtins.fetchurl {
+  source-tarball-gnumake = fetchurl {
     # local = /downloads/make-4.3.tar.gz;
     url = "http://ftp.gnu.org/gnu/make/make-4.3.tar.gz";
     sha256 = "e05fdde47c5f7ca45cb697e973894ff4f5d79e13b750ed57d7b66d8defc78e19";

diff --git a/using-nix/2a1-static-binutils.nix b/using-nix/2a1-static-binutils.nix
@@ -1,7 +1,7 @@
-{ mkDerivationStage2, stage1, static-gnumake }:
+{ fetchurl, mkDerivationStage2, stage1, static-gnumake }:
 
 let
-  source-tarball-binutils = builtins.fetchurl {
+  source-tarball-binutils = fetchurl {
     # local = /downloads/binutils-2.37.tar.xz;
     url = "https://ftp.gnu.org/gnu/binutils/binutils-2.37.tar.xz";
     sha256 = "820d9724f020a3e69cb337893a0b63c2db161dadcb0e06fc11dc29eb1e84a32c";

diff --git a/using-nix/2a2-static-gnugcc4-c.nix b/using-nix/2a2-static-gnugcc4-c.nix
@@ -1,22 +1,22 @@
-{ mkDerivationStage2, stage1, static-gnumake, static-binutils }:
+{ fetchurl, mkDerivationStage2, stage1, static-gnumake, static-binutils }:
 
 let
-  source-tarball-gcc = builtins.fetchurl {
+  source-tarball-gcc = fetchurl {
     # local = /downloads/gcc-4.7.4.tar.bz2;
     url = "https://ftp.gnu.org/gnu/gcc/gcc-4.7.4/gcc-4.7.4.tar.bz2";
     sha256 = "92e61c6dc3a0a449e62d72a38185fda550168a86702dea07125ebd3ec3996282";
   };
-  source-tarball-gmp = builtins.fetchurl {
+  source-tarball-gmp = fetchurl {
     # local = /downloads/gmp-4.3.2.tar.xz;
     url = "https://gmplib.org/download/gmp/archive/gmp-4.3.2.tar.xz";
     sha256 = "f69eff1bc3d15d4e59011d587c57462a8d3d32cf2378d32d30d008a42a863325";
   };
-  source-tarball-mpfr = builtins.fetchurl {
+  source-tarball-mpfr = fetchurl {
     # local = /downloads/mpfr-2.4.2.tar.xz;
     url = "https://www.mpfr.org/mpfr-2.4.2/mpfr-2.4.2.tar.xz";
     sha256 = "d7271bbfbc9ddf387d3919df8318cd7192c67b232919bfa1cb3202d07843da1b";
   };
-  source-tarball-mpc = builtins.fetchurl {
+  source-tarball-mpc = fetchurl {
     # local = /downloads/mpc-0.8.1.tar.gz;
     url = "http://www.multiprecision.org/downloads/mpc-0.8.1.tar.gz";
     sha256 = "e664603757251fd8a352848276497a4c79b7f8b21fd8aedd5cc0598a38fee3e4";

diff --git a/using-nix/2a3-intermediate-musl.nix b/using-nix/2a3-intermediate-musl.nix
@@ -1,8 +1,8 @@
-{ mkDerivationStage2
+{ fetchurl, mkDerivationStage2
 , stage1, static-gnumake, static-binutils, static-gnugcc4-c }:
 
 let
-  source-tarball-musl = builtins.fetchurl {
+  source-tarball-musl = fetchurl {
     # local = /downloads/musl-1.2.2.tar.gz;
     url = "http://musl.libc.org/releases/musl-1.2.2.tar.gz";
     sha256 = "9b969322012d796dc23dda27a35866034fa67d8fb67e0e2c45c913c3d43219dd";