pnpm.fetchDeps: non-deterministic hash

[jfraudeau]

pnpm.fetchDeps produces different hashes depending on whether the build directory and $out are on the same partition. This is a problem for setups where /nix is on its own partition

What we currently put in $out is a pnpm content-addressable store which is hardlinked with files with identical content in node_modules. During the install process for each package in node_modules pnpm will flip the permission executable bit of files that are declared in the bin field in package.json

When the workdir and $out are on the same partition files are properly hardlinked so the bit is flipped in node_modules and in the content-addressable store. When they are in different partitions there is no hardlink so original permissions are preserved in the content-addressable store.

This results in different hashes depending on the situation since permissions are taken into account when calculating the hash.

Here are the solutions that I could imagine:

• Normalize permissions in fixupPhase -> No way to easily know what the permissions should be, may break other things
• Put the store inside the workdir so we know it is on the same partition then copy it to $out

Any idea @Scrumplex @gepbird

[gepbird]

At first glance this sounds related to #350063

I maybe be able to look more deeply into this later, can you share a reproducer?

I'm thinking about introducing a new version of pnpm.fetchDeps where permissions are fixed, because breaking all the existing hashes would be annoying for everyone

[jfraudeau]

Sure, here is a minimal repo with which I was able to reproduce the issue : https://github.com/jfraudeau/repro-pnpm-deps
The hash is correct on my laptop and fails in our custom CI worker where /nix is on a different partition.

Not sure how to provide an easy repro for the partition setup, I will try to do something with docker

[jfraudeau]

I was able to reproduce the following docker command:

docker run --volume $(pwd)/tmp:/tmp nixos/nix nix build github:jfraudeau/repro-pnpm-deps --extra-experimental-features nix-command --extra-experimental-features flakes

error: hash mismatch in fixed-output derivation '/nix/store/7rak92cxhwd294v644z4bf2w0cq5viha-repro-pnpm-deps-pnpm-deps.drv':
         specified: sha256-9V5OSyYjlg7pYBZFrzaIsQXWudtMoNstkK3zNZ5SwdA=
            got:    sha256-pujz8LubvkaLuRcJgCc/agDDiiJEqJ9JqPcC+nvs1kU=

One of the offending files will be : /nix/store/c2v2mddy8hv4fi65xpvq8ykjc8zi22ly-repro-pnpm-deps-pnpm-deps/v10/files/08/8 57352b7958603e77f9b30b27a6ace21861cefd25969ce4c7b669e635cddd71a94dc0f1a072172fdab63f719004e0f4a8bcc291668174e79e92f2a6351a61b

When manually inspecting the tarball from npm at https://registry.npmjs.org/napi-postinstall/-/napi-postinstall-0.3.0.tgz we can see that the executable bit is not set which is highly variable across the npm ecosystem

[gepbird]

Thanks @jfraudeau, that was very helpful!

I get the sha256-pujz8LubvkaLuRcJgCc/agDDiiJEqJ9JqPcC+nvs1kU= hash with:

• the docker command you provided
• when I build your repro in my ~, which is on the same physical drive as my /nix/store
• when I build your repro in my /hdd mount, which is on a different physical drive

In those builds, the permission of v10/files/08/8 57352b7958603e77f9b30b27a6ace21861cefd25969ce4c7b669e635cddd71a94dc0f1a072172fdab63f719004e0f4a8bcc291668174e79e92f2a6351a61b is 444, while in the npm registry downloaded .tgz the permission is 644 for the corresponding lib/cli.js

I'm curious how could I make a nix built pnpm store with that 644 permission. Where is /nix on your laptop and CI worker? IIUC I should get 644 too

Regardless, I'll make something like a pnpm.fetchDeps_2 (if we don't find a better name) that sets the permissions in fixupPhase

[jfraudeau]

Thanks for looking at it @gepbird !
These results are very surprising, when you build the repo in different folders do you mean run nix build from a different folder or is there a way to tell nix where to put the build sandbox ? In my case I believe the sandbox is always in /tmp. Can you check what with --keep-failed and see what the permission is on node_modules/napi-postinstall/lib/cli.js ? In my case it is always 755.

Also for a reproduction of the sha256-9V5OSyYjlg7pYBZFrzaIsQXWudtMoNstkK3zNZ5SwdA= hash I got it when building in docker without a volume:

docker run nixos/nix nix build github:jfraudeau/repro-pnpm-deps --extra-experimental-features nix-command --extra-experimental-features flakes

Regarding the name for a new version, I think there was a discussion about putting the fetcher outside of the pnpm package like lib.fetchNpmDeps and lib.fetchYarnDeps

[gepbird]

when you build the repo in different folders do you mean run nix build from a different folder or is there a way to tell nix where to put the build sandbox ?

I have the repro flake on separate physical drives and build it from there (I modified the hash in your flake for the one I always get):

repro-pnpm-deps ❯ cd ~/repro-pnpm-deps 
repro-pnpm-deps ❯ nix build --rebuild
warning: Git tree '/home/gep/repro-pnpm-deps' is dirty
repro-pnpm-deps ❯ cd /hdd/repro-pnpm-deps 
repro-pnpm-deps ❯ nix build --rebuild    
warning: Git tree '/hdd/repro-pnpm-deps' is dirty
repro-pnpm-deps ❯ 

In my case I believe the sandbox is always in /tmp.

I'm not sure how to check where is the build sandbox. When a build is running, I don't see new entries (eg. ls /tmp | wc -l is constant). IIRC previously when I was debugging a build, the sandbox was in /tmp

Can you check what with --keep-failed and see what the permission is on node_modules/napi-postinstall/lib/cli.js ? In my case it is always 755.

Also what should I build with --keep-failed? Your repro package produces a pnpm store, where there are files like v10/files/08/8 57352b7958603e77f9b30b27a6ace21861cefd25969ce4c7b669e635cddd71a94dc0f1a072172fdab63f719004e0f4a8bcc291668174e79e92f2a6351a61b, but there's no node_modules/napi-postinstall/lib/cli.js

If you meant build your repro package with --keep-failed, I'm not sure how it helps in this context: I can only build one version of your repro that has files without the executable bit set. If I could it with executable bits set, then --keep-failed would make sense

Also for a reproduction of the sha256-9V5OSyYjlg7pYBZFrzaIsQXWudtMoNstkK3zNZ5SwdA= hash I got it when building in docker without a volume:

docker run nixos/nix nix build github:jfraudeau/repro-pnpm-deps --extra-experimental-features nix-command --extra-experimental-features flakes

Unfortunately it's still the same sha256-pujz8LubvkaLuRcJgCc/agDDiiJEqJ9JqPcC+nvs1kU= hash for me

Regarding the name for a new version, I think there was a discussion about putting the fetcher outside of the pnpm package like lib.fetchNpmDeps and lib.fetchYarnDeps

Great idea, I almost entirely forgot about it, I'll check it later :)

[jfraudeau]

Thanks for the PR, I will have a look at it !

I feel kind of stupid, I reinstalled nix on my machine and I now also have sha256-pujz8LubvkaLuRcJgCc/agDDiiJEqJ9JqPcC+nvs1kU= so I can't really test your fix

[jmoggr]

I tested the PR and it worked! It fixed a build error in Github actions CI caused by a hash mismatch.

Thank you!

before: ci logs, commit
after: ci logs, commit