Describe the bug
We are trying to rely on Nix deterministic building and I found some weird behavior.
when building using local git+file: vs remote github to the same tag reference, we see different results.
nix build "git+file:$(pwd)?ref=refs/tags/v0.4.0#fedimintd" && sha256sum result/bin/fedimintd
0eed8de41a7243e66201fc29b1a66a92095bf672002be4025bb507aae9172301 result/bin/fedimintd
and
nix build 'github:fedimint/fedimint?ref=refs/tags/v0.4.0#fedimintd' && sha256sum result/bin/fedimintd
2ac5afee3e642f012efff407a903487dd69aabc6bf356128693753693ef4b314 result/bin/fedimintd
This is because we embedd the the git tag passed by the Nix/flake into our binary, as a post processing step. I investigated the diff between binaries and indeed it seems that in the local invocation Nix will pass the object id of the annotated tag itself vs object id of the commit that the tag points at. Both IDs resolve to the same commit ID:
> g rev-parse 6627a75b23a9ce1f^{commit}
d0877d0310453b737309cef404d98300f3dfa0d2
> g rev-parse d0877d0310453b73^{commit}
d0877d0310453b737309cef404d98300f3dfa0d2
However after trying to use rev= version of the commit itself in both invocations to compare the results:
> nix build 'github:fedimint/fedimint?rev=d0877d0310453b737309cef404d98300f3dfa0d2#fedimintd' && sha256sum result/bin/fedimintd
2ac5afee3e642f012efff407a903487dd69aabc6bf356128693753693ef4b314 result/bin/fedimintd
> nix build 'github:fedimint/fedimint?rev=d0877d0310453b737309cef404d98300f3dfa0d2#fedimintd' && sha256sum result/bin/fedimintd
2ac5afee3e642f012efff407a903487dd69aabc6bf356128693753693ef4b314 result/bin/fedimintd
now all the invocations (even one that had a weird behavior before) are giving the same (2ac5afee3e) result, so it looks like something about the caching kicked in and bandaided the issue.
Expected behavior
I guess Nix should peel of the tag -> commit indirection to make all invocations use the same git rev.
nix-env --version output
Additional context
na
Priorities
Add 👍 to issues you find important.
Describe the bug
We are trying to rely on Nix deterministic building and I found some weird behavior.
when building using local
git+file:vs remotegithubto the same tag reference, we see different results.and
This is because we embedd the the git tag passed by the Nix/flake into our binary, as a post processing step. I investigated the diff between binaries and indeed it seems that in the local invocation Nix will pass the object id of the annotated tag itself vs object id of the commit that the tag points at. Both IDs resolve to the same commit ID:
However after trying to use
rev=version of the commit itself in both invocations to compare the results:now all the invocations (even one that had a weird behavior before) are giving the same (
2ac5afee3e) result, so it looks like something about the caching kicked in and bandaided the issue.Expected behavior
I guess Nix should peel of the tag -> commit indirection to make all invocations use the same git rev.
nix-env --versionoutputAdditional context
na
Priorities
Add 👍 to issues you find important.