Add nix support #275
Add nix support #275
Conversation
shell.nix
Outdated
| @@ -0,0 +1,3 @@ | |||
| (import (fetchTarball https://github.com/edolstra/flake-compat/archive/master.tar.gz) { | |||
There was a problem hiding this comment.
This file is here for compatibility with the "pre-Flake" Nix world.
|
@rolfschr thanks ! I am not familiar with the Nix world, so I can't say much, however : Skimming through the diff, I don't see the code setting up the env variable Also the DCO check is failing, could you sign off your commits ? |
Signed-off-by: Rolf Schröder <[email protected]>
Signed-off-by: Rolf Schröder <[email protected]>
Signed-off-by: Rolf Schröder <[email protected]>
Signed-off-by: Rolf Schröder <[email protected]>
Signed-off-by: Rolf Schröder <[email protected]>
Signed-off-by: Rolf Schröder <[email protected]>
Signed-off-by: Rolf Schröder <[email protected]>
Signed-off-by: Rolf Schröder <[email protected]>
rolfschr
force-pushed
the
add-nix-support
branch
from
943c09f
to
908f6e3
Compare
|
@sbs2001 Thanks for the quick feedback. I signed-off the commits. I am not sure how you would like me to set up the |
|
@rolfschr yeah, I'm sorry for the I'm approving this, and we could merge this once @pombredanne has a look at this, he is unavailable atm, so this might take few days. By the way, about the NGI link you mentioned, it requires some authorization. I'm guessing only the proposer has access to it, is that correct ? |
|
@rolfschr I was wondering what's the advantage of using Nix packaging vs the already provided docker setup ? apart from not requiring to install docker itself. |
|
@sbs2001 Well the advantage is you don't need Docker, obvious disadvantage: you need Nix ^^. Mainly, the advantage of using Nix in such a way is that the build will be reproducible. You did pin the Python requirements as well as the docker base image. I would guess it doesn't make such a big difference in our case. |
flake.nix
Outdated
| @@ -0,0 +1,155 @@ | |||
| { | |||
There was a problem hiding this comment.
It would probably be wise to not use the unstable flake format for this but to use the "classic" packaging for Nix packages here. This format has not been formalized or finalized.
There was a problem hiding this comment.
Thanks for reviewing! The NixOS Foundation decided to package Software related to the NGI Zero subprogram using the Flakes format. There is not obligation to include this upstream.
EDIT: improve wording
That link you posted requires a login. Where can we obtain one? |
There was a problem hiding this comment.
@rolfschr Thank you ++ ... this looks great though I have a few questions:
-
we do not use poetry (and there is no plan to switch to using it for now) so I am not sure how to manage both pinned requirements and a poetry lock file at the same time (to keep them in sync and avoid confusion of multiple lockfiles at the root)
-
how could we test this packaging in the CI?
-
is there a way to put all scripts and packaging files in a subdirectory such as
/etc/nix?
|
Hi @pombredanne, thanks for your review.
The PR contains a patch that "converts" the code base into a poetry project. This patch is not meant to be applied by you but is applied on the fly by Nix. It should just sit in the repo. The patch itself needs to be modified whenever the
I don't have experience with travis but probably I could just add another build job? Alternatively, I GitHub workflow would do.
Yes, I could do this. Let me know what you think and I'll adapt the PR. |
|
re:
This would be great.
And that would be great too! thanks |
rolfschr
force-pushed
the
add-nix-support
branch
4 times, most recently
from
6414e36
to
122f353
Compare
|
@rolfschr do you mind adding back your DCO signoff? |
|
@andir does everything looks good to you otherwise? |
Signed-off-by: Rolf Schröder <[email protected]>
Signed-off-by: Rolf Schröder <[email protected]>
Signed-off-by: Rolf Schröder <[email protected]>
Signed-off-by: Rolf Schröder <[email protected]>
Signed-off-by: Rolf Schröder <[email protected]>
Signed-off-by: Rolf Schröder <[email protected]>
Signed-off-by: Rolf Schröder <[email protected]>
Signed-off-by: Rolf Schröder <[email protected]>
Signed-off-by: Rolf Schröder <[email protected]>
Signed-off-by: Rolf Schröder <[email protected]>
rolfschr
force-pushed
the
add-nix-support
branch
from
d4b5985
to
7dfdc99
Compare
|
So I'm happy with the state as is. I moved files to to |
Sure thing!
thx ++
FWIW, we are eventually setting up a server dedicated to continuously fetch and keep the data fresh and make it available via the API and dumps :) |
There was a problem hiding this comment.
From a Nix perspective this looks pretty good to me 👍
I did a code review of the Nix files and also ran the flake checks locally as well as the ./test-import-using-nix.sh script used for CI for confirmation. Since the Nix checks run pytest against a Nix-provided Postgres database it makes sense to rely on that for functional integrity of the package.
I commented on a few minor nitpicks in the code, but that is mostly syntax and documentation.
(For reference, I am the Nix reviewer coming in from ngi-nix/ngi#73.)
Signed-off-by: Rolf Schröder <[email protected]>
@edibopp Thanks for your review! I worked in all your comments. @pombredanne From my point of view, this PR can be merged now. |
|
Meh, let me check the issue with the updated |
Signed-off-by: Rolf Schröder <[email protected]>
Signed-off-by: Rolf Schröder <[email protected]>
rolfschr
force-pushed
the
add-nix-support
branch
from
6698bd9
to
3f732cd
Compare
|
@pombredanne Soooo, finally, I think you could merge this. I had to update |
|
@rolfschr Thanks! |
Signed-off-by: Philippe Ombredanne <[email protected]>
Signed-off-by: Philippe Ombredanne <[email protected]>
|
All merged. Thank you ++ 🙇 |
This PR add support for Nix as part of the NGI0 subprogram.
Usually, a Nix package would get packaged by first declaring (or packaging if needed) its dependencies. In the Python world, this is not so easy so several solutions have emerged (pypi2nix, poetry2nix and others). VulnerableCode has a couple of dependencies which are not yet packaged in nixpkgs and are fairly hard to integrate. I opted to use poetry2nix to get that part done. However, VulnerableCode is not a Poetry project so I included a (non-applied) patch to convert it (i.e. add the necessary files.) The patch is applied during the creation of VulnerableCode's Nix package. I have furthermore added a script that generates this patch file automatically, given
setup.pyandrequirements.txt. The Nix package build will fail ifrequirements.txthave changed, too. Finally, there is a test script that creates a temporary database and runs the import.Also, I'm happy to provide a Github Workflow to run the Nix build as well as some tests periodically.