Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

scripts/update: Set nix-update-script by default #325074

Closed

Conversation

Pandapip1
Copy link
Contributor

Description of changes

Will cause maintainers/scrips/update.nix to use nix-update-script { } by default if no passthru.updateScript is set, unless passthru.updateScript is set to null.

Things done

  • Built on platform(s)
    • x86_64-linux
    • aarch64-linux
    • x86_64-darwin
    • aarch64-darwin
  • For non-Linux: Is sandboxing enabled in nix.conf? (See Nix manual)
    • sandbox = relaxed
    • sandbox = true
  • Tested, as applicable:
  • Tested compilation of all packages that depend on this change using nix-shell -p nixpkgs-review --run "nixpkgs-review rev HEAD". Note: all changes have to be committed, also see nixpkgs-review usage
  • Tested basic functionality of all binary files (usually in ./result/bin/)
  • 24.11 Release Notes (or backporting 23.11 and 24.05 Release notes)
    • (Package updates) Added a release notes entry if the change is major or breaking
    • (Module updates) Added a release notes entry if the change is significant
    • (Module addition) Added a release notes entry if adding a new NixOS module
  • Fits CONTRIBUTING.md.

Add a 👍 reaction to pull requests you find important.

@Pandapip1 Pandapip1 requested a review from jtojnar as a code owner July 6, 2024 16:17
@AndersonTorres
Copy link
Member

Why?

@Pandapip1
Copy link
Contributor Author

Pandapip1 commented Jul 6, 2024

I just want to preface my comment with this: I'm opening this PR not to have it immediately merged, but just to get a discussion going.

Why?

  • nix-update-script works for a lot of packages, and if there's a package it doesn't work for, it's probably worth making an issue so it can be supported.
    • There's minimal harm to a non-functional update script. The auto update fails, and that's it.
  • It feels redundant having to include passthru.updateScript = nix-update-script { }; in every package I upstream, and I imagine that others might feel the same way
  • The documentation for passthru.updateScript is not easily discover-able to new contributors

Basically, much of the same rationale that would apply for #178468 or any other non-trivial change to default values.

@AndersonTorres
Copy link
Member

What does nix-update-script { } do?

Copy link
Contributor

@eclairevoyant eclairevoyant left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Overall the change looks good, I'll approve once I get a chance to test thoroughly.

@@ -120,7 +120,7 @@ let
if pathContent == null then
builtins.throw "Attribute path `${path}` does not exist."
else
packagesWithPath prefix (path: pkg: builtins.hasAttr "updateScript" pkg)
packagesWithPath prefix (path: pkg: !(builtins.hasAttr "updateScript" pkg && pkg.updateScript == null))
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

not blocking, but wonder why we didn't just use pkg ? updateScript instead of the hasAttr bit

@ofborg ofborg bot added 10.rebuild-darwin: 0 This PR does not cause any packages to rebuild on Darwin 10.rebuild-linux: 0 This PR does not cause any packages to rebuild on Linux labels Jul 6, 2024
@Pandapip1
Copy link
Contributor Author

What does nix-update-script { } do?

It's this, but upstreamed to nixpkgs: https://github.com/Mic92/nix-update/

@Pandapip1 Pandapip1 force-pushed the nix-update-script-by-default branch from 89024d3 to cd3fa01 Compare July 6, 2024 17:04
@jtojnar
Copy link
Member

jtojnar commented Jul 6, 2024

It is similar to the debate between whitelists vs blacklists. Generally, I prefer the former since there can be issues that require human evaluation. But I acknowledge that it takes much more work.

  • There's minimal harm to a non-functional update script. The auto update fails, and that's it.

On the top of my head:

  • It will slow down update.nix significantly for maintainers with many packages by attempting to download stuff that does not support it.
  • For packages with multiple sources, it can update src while the other ones will remain stale.
    • This might cause r-ryantm to open a broken PR (not all packages are covered by tests).
  • It will override r-ryantm’s native update sources, not sure what the effect can be.
  • It might update to versions that are not considered stable (e.g. odd-unstable version scheme).

@eclairevoyant
Copy link
Contributor

  • For packages with multiple sources, it can update src while the other ones will remain stale.

This would be a case where a custom update script is needed anyway.

  • This might cause r-ryantm to open a broken PR (not all packages are covered by tests).

Broken how? It would at least build, as the bot tries to build it before sending a PR.

  • It might update to versions that are not considered stable (e.g. odd-unstable version scheme).

Same as above, we'd want a custom script if some versions need to be handled differently.

@AndersonTorres
Copy link
Member

AndersonTorres commented Jul 6, 2024

I just want to preface my comment with this: I'm opening this PR not to have it immediately merged, but just to get a discussion going.

A pull request is oriented to a merge, not to a discussion. But OK.

* `nix-update-script` works for a lot of packages, and if there's a package it doesn't work for, it's probably worth making an issue so it _can_ be supported.
  
  * There's minimal harm to a non-functional update script. The auto update fails, and that's it.

Famous last words

A failure creeping an already massive package database?

* It feels redundant having to include `passthru.updateScript = nix-update-script { };` in every package I upstream, and I imagine that others might feel the same way

Why does it feel redundant?

* The documentation for `passthru.updateScript` is not easily discover-able to new contributors

You are trying to fix a failure of documentation by burying this poorly documented feature in all packages?

As an example, Just do a small research about splicing and explain like I am five why python3.pkgs.pygame is different from python3Packages.pygame.

Basically, much of the same rationale that would apply for #178468 or any other non-trivial change to default values.

Your comparison could not be more unconvincing.

Globally setting strictDeps as true deals directly with the core task of Nixpkgs, namely, building software.
Especially, cross-aware building environments.

It requires a huge refactor, since many softwares packaged by Nixpkgs are not built with cross-compilation in mind - including some Nixpkgs dark corners, ironically -, and setting strictDeps shows many of those cockroaches (to quote @\Aleksanaa).

But, setting an out-of-tree updater script? Why?
Just to save less than 700 (the files I have found by rg) * 50 (the size of line including it) = 35000 bytes in a 380M repo and slowing down Nixpkgs even more?


What does nix-update-script { } do?

It's this, but upstreamed to nixpkgs: https://github.com/Mic92/nix-update/

Hum, nice. Injecting a third party project in all expressions and packages, what could go wrong?

Oh, the auto update fails, and that's it. Never mind.

@AndersonTorres
Copy link
Member

Broken how? It would at least build, as the bot tries to build it before sending a PR.

Ryanbot does not test it over Darwin. Example: #324211

@emilazy
Copy link
Member

emilazy commented Jul 6, 2024

I was just asking in Matrix earlier because it was completely unclear to me whether you’re meant to explicitly set passthru.updateScript on every “normal” package or if @r-ryantm etc. would work regardless and it’s just pointless noise. So I’d support either this default or much better documentation about things you should include in your package. (See also: More official guidelines in regards to styling choices.)

@AndersonTorres
Copy link
Member

I was just asking in Matrix earlier because it was completely unclear to me whether you’re meant to explicitly set passthru.updateScript on every “normal” package or if @r-ryantm etc. would work regardless and it’s just pointless noise.

As far as I remember, ryanbot can work automagically on the easiest packages.

However, ryanbot also honors an updateScript explicitly set. It is useful for some harder cases like multi-source packages.

So I’d support either this default or much better documentation about things you should include in your package.

Updater scripts should never be a hard requirement.

@emilazy
Copy link
Member

emilazy commented Jul 6, 2024

Hence “should”.

@jtojnar
Copy link
Member

jtojnar commented Jul 6, 2024

  • This might cause r-ryantm to open a broken PR (not all packages are covered by tests).

Broken how? It would at least build, as the bot tries to build it before sending a PR.

Sorry, meant that as a sub-point of the multiple sources.

@Pandapip1
Copy link
Contributor Author

Pandapip1 commented Jul 6, 2024

Would you guys prefer that I make a bot that automatically tries to add a passthru.updateScript to packages without one, and for me to submit a PR that adds update scripts treewide? I can whip that up really quickly.

@emilazy
Copy link
Member

emilazy commented Jul 6, 2024

Would the bot be able to tell if the update script has any chance of working? The nice thing about a default is that it doesn’t imply that.

@Pandapip1
Copy link
Contributor Author

Addressing #325074 (comment)

It will slow down update.nix significantly for maintainers with many packages by attempting to download stuff that does not support it.

This is a fair point. The question is whether it's worth spending that extra bandwidth in order to keep packages more up-to-date.

For packages with multiple sources, it can update src while the other ones will remain stale. This might cause r-ryantm to open a broken PR (not all packages are covered by tests).

For linux, builds are built (and if tests are available, tests are run). nix-update-script doesn't currently support

For darwin, broken PRs are a valid concern, but that's true for all PRs that touch darwin and is something that should probably be solved.

It will override r-ryantm’s native update sources, not sure what the effect can be.

@r-ryantm uses https://repology.org/ to detect if there's a new version that's been included to a different downstream package repository, and naively tries to update the version and the hash. nix-update-script should be strictly better.

It might update to versions that are not considered stable (e.g. odd-unstable version scheme).

This is also a valid concern.

Addressing #325074 (comment)

Famous last words
A failure creeping an already massive package database?

You misunderstand what a failure looks like. maintainers/scripts/update.nix returns a non-zero exit code for that package, and a PR is not made.

Why does it feel redundant?

The same line, repeated hundreds if not thousands of times, is redundant. Yes, it's not much storage-wise, but my concern is more about the repeated work, not the reduced code quality.

You are trying to fix a failure of documentation by burying this poorly documented feature in all packages?

...Yes, I guess?

As an example, Just do a small research about splicing and explain like I am five why python3.pkgs.pygame is different from python3Packages.pygame.

I don't get what point you are trying to make here, or how it relates to the broader discussion here.

Your comparison could not be more unconvincing.

Globally setting strictDeps as true deals directly with the core task of Nixpkgs, namely, building software, especially, cross-aware building environments.

This directly deals with that same core task by ensuring that the software that is built is more up-to-date.

Setting an out-of-tree updater script? Why? Just to save less than 700 (the files I have found by rg) * 50 (the size of line including it) = 35000 bytes in a 380M repo and #320528?

See my previous comments. There are more reasons than just saving memory (and that's not even a valid reason, as due to the way git works, those older versions will also be saved.

Hum, nice. Injecting a third party project in all expressions and packages, what could go wrong?

What if tomorrow the repo disappear?

Auto-updates fail. Nothing bad happens, and once someone forks it, life continues as normal.

What if they change the implementation to an otherwise badly supported framework?
Or maybe worse, they do not update the framework despite it being deprecated and insecure?

The worst that can happen is that auto-updates fail, or maybe there's an RCE that allows for the PR contents to be arbitrarily changed. Since manual merges / reviews are necessary by a commiter or a package maintainer, this is also fine.

What if their repo is social-hacked?

Auto-updates fail or the PR contents can be arbitrarily changed.

Oh, the auto update fails, and that's it. Never mind.

There are other possible effects too.

Addressing #325074 (comment)

Ryanbot does not test it over Darwin. Example: #324211

Are you sure this is not because platforms = lib.platforms.unix? I am aware that OSX is Unix (even in Nixpkgs:

isUnix = [ isBSD isDarwin isLinux isSunOS isCygwin isRedox ];
), but it just might not be tested by @r-ryantm due to some bug.

If darwin is just straight up never tested, is there a technological reason why?

Addressing #325074 (comment)

Would the bot be able to tell if the update script has any chance of working? The nice thing about a default is that it doesn’t imply that.

Yes. nix-update-script fails if the way the derivation is constructed means that it can't update.

@eclairevoyant eclairevoyant marked this pull request as draft July 6, 2024 20:53
@eclairevoyant
Copy link
Contributor

drafting to prevent accidental merge

@eclairevoyant
Copy link
Contributor

What does r-ryantm do if updateScript is null?

BTW @AndersonTorres I already suggested moving nixpkgs-update in-tree, that was rejected. Best we can ask for is that it moves under nix-community it seems.

But it should also be noted that r-ryantm, which is also an out-of-tree bot that we have no control over, has provided more contributions to nixpkgs than any human contributor. Switching to a better-maintained script (nixpkgs-update -> nix-update) seems like it only has upsides WRT the bot.

@AndersonTorres
Copy link
Member

BTW @AndersonTorres I already suggested moving nixpkgs-update in-tree, that was rejected.

Indeed it is not a good idea. It is just vendoring with extra steps.
And I have argued against vendoring a long time ago:

#276569 (comment)

Further, nix-update is not limited to Nixpkgs.

Best we can ask for is that it moves under nix-community it seems.

I agree 100%.
They can even be adopted by NixOS, but I believe nix-community is better suited.

Switching to a better-maintained script (nixpkgs-update -> nix-update) seems like it only has upsides WRT the bot.

nix-update repo also says it is better suited for interactive usage, not for massive updates.

@eclairevoyant
Copy link
Contributor

As far as I see, https://github.com/nix-community/nixpkgs-update/blob/main/src/Update.hs does not indicate any intelligent updating for various language builders, it just tries to update src.
nix-update currently supports the rust, go, npm, composer, maven, and yarn builders, as well as fetchers for more obscure forges. I see no evidence nixpkgs-update is somehow "better for mass updates".

@Pandapip1
Copy link
Contributor Author

nix-update repo also says it is better suited for interactive usage, not for massive updates.

nixpkgs-update is, to my understanding, a minimal wrapper around nix-update

@eclairevoyant
Copy link
Contributor

nixpkgs-update is, to my understanding, a minimal wrapper around nix-update

If that was the case, this PR would not bring any benefit. But as far as I can tell, they are independent projects,see the code example linked above.

@AndersonTorres
Copy link
Member

AndersonTorres commented Jul 7, 2024

This is a fair point. The question is whether it's worth spending that extra bandwidth in order to keep packages more up-to-date.

Not everyone here lives inside a backbone.


You misunderstand what a failure looks like. maintainers/scripts/update.nix returns a non-zero exit code for that package, and a PR is not made.

Yes, and we all memorized the error codes emitted by the tool, so that we know if the original repo changed location or was deleted, if the tarball was deleted because upstream does not like version control, if the tool itself is bugged or does not support that specific protocol...

Ah, about unsupported protocols, as far as I remember nix-update does not support oldschool tarballs.

...Yes, I guess?

And we at Nixpkgs should be utterly proud of our wonderful reputation of having a subpar documentation.
Congrats.

I don't get what point you are trying to make here, or how it relates to the broader discussion here.

About splicing

Splicing is a huge piece of dark magic that less than five people truly understand.
Splicing is the ground for how cross-compilation works in Nixpkgs, thus affecting the whole repo.
Splicing is just taken for granted.
And splicing can bite you in inexplicable ways.

#204303 (comment)

And look, splicing is Nix code, kept inside Nixpkgs.

If we have basically no control for an in-house tool that pervades all Nixpkgs, why should I blindly believe in a tool that is completely external to it that is not even written in the same language?

Just to save less than 35M in a 380M repo, and with the special prize of slowing down Nixpkgs evaluation even more?

(The part about old code being backed up is not the point - it is about the negligible economy of mere 50 characters per file)

This directly deals with that same core task by ensuring that the software that is built is more up-to-date.

In a repo with five branches of nv-codec-headers, two or three versions of Nix, eleven GCCs, seven JDKs, seven Clangs...

Yes, up-to-date is everything a package manager is concerned.

Auto-updates fail.

All auto-updates fail if nix-update disappears.

Nothing bad happens

Not having up-to-date software - a thing you yourself called "the same core task" as cross-compilation support - is not a bad thing? Not being able to build Android apps outside a smartphone is "nothing bad"?

The worst that can happen is

The worst that can happen is that we became dependent on a piece of code that we can't control.

but it just might not be tested by r-ryantm due to some bug.

A bug called "not having enough money to run this on an M1 machine" :(

@AndersonTorres
Copy link
Member

AndersonTorres commented Jul 7, 2024

As far as I see, https://github.com/nix-community/nixpkgs-update/blob/main/src/Update.hs does not indicate any intelligent updating for various language builders, it just tries to update src.

Paradoxically, a dumb tool is better suited to a massive repetitive task.
Many tarballs from SourceForge and GitHub were updated with this dumb tool.

Further, the same nixpkgs-update honors passthru.updateScript.

I see no evidence nixpkgs-update is somehow "better for mass updates".

Then the documentation of nix-update should be updated:

nixpkgs-update is optimized for mass-updates in nixpkgs while nix-update is better suited for interactive usage that might require user-intervention i.e. fixing the build and testing the result. nix-update is also not limited to nixpkgs.

@Pandapip1
Copy link
Contributor Author

You've made your point clear. I'll work on a treewide addition of updateScripts instead.

@Pandapip1 Pandapip1 closed this Jul 7, 2024
@Pandapip1 Pandapip1 deleted the nix-update-script-by-default branch July 7, 2024 14:29
@AndersonTorres
Copy link
Member

AndersonTorres commented Jul 8, 2024

Just to make sure:
I am full favorable of automation.

But the way it was going to be implemented here is not good.

Injecting a default updater in all packages is not good.
Injecting a default updater in all packages by manipulating a core Nixpkgs functionality is not good.
Injecting an external project as a default updater in all packages by manipulating a core Nixpkgs functionality is not good.


About another mildly-related incident

Further, we had a serious problem before when someone tried to be smart (and full of sophistry) and forced a functionality over everyone: it broke eval because it assumed each and every package was "well-written".

#294347 (comment)

#294347 (comment)

Let's learn a bit with our mistakes.

@emilazy
Copy link
Member

emilazy commented Jul 8, 2024

@AndersonTorres, I’d really appreciate it if you could try to be a bit kinder and more charitable towards contributors. Accusing people of sophistry for not implementing something the way you thought is best on unrelated PRs gets us nowhere as far as productive mutual discussion goes.

@AndersonTorres
Copy link
Member

To be clear, sophistry is not always committed on bad faith, and I am not accusing people of having bad faith here and/or using sophistry on this conversation.
Further I will hide the text in order to de-escalate.

@Pandapip1
Copy link
Contributor Author

Pandapip1 commented Jul 8, 2024

I wouldn't go so far as to call @AndersonTorres's comments sophistry. They were firm and sometimes poorly phrased, but nonetheless in good faith and always contained legitimate concerns and/or misunderstandings.

@emilazy
Copy link
Member

emilazy commented Jul 8, 2024

Just to clarify: I was referring to the now‐collapsed section of @AndersonTorres’s earlier comment, which described another contributor on a previous PR as having been “full of sophistry”; I certainly have no intentions of accusing anyone of sophistry myself. (I’ve never personally seen the word used in a way that doesn’t imply bad faith on the part of the presumed sophist, but I recognize that the language barrier may have made the use of the term come off as more hostile to me than intended.)

@emilazy emilazy mentioned this pull request Jul 12, 2024
13 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
10.rebuild-darwin: 0 This PR does not cause any packages to rebuild on Darwin 10.rebuild-linux: 0 This PR does not cause any packages to rebuild on Linux
Projects
None yet
Development

Successfully merging this pull request may close these issues.

5 participants