![]() By default, Perl versions since 5.8.1 use randomization to make hashes resistant to complexity attacks. That randomization makes building VM images such as ubuntu1804x86_64 non-deterministic because the (imported) derivations built by deb/deb-closure.pl are not stable. This can easily be observed by repeating the following sequence of commands and noting the path of the image's .drv: nix-instantiate -E '(import <nixpkgs> {}).vmTools.diskImageFuns.ubuntu1804x86_64 {}' nix-store --delete /nix/store/*ubuntu-18.04-bionic-amd64.nix One source of non-determinism is the handling of Provides/Replaces, which depends on the order of iteration over %packages. Here is a diff showing the corresponding change in output: >>> awk -virtual awk: using original-awk - original-awk: libc6 (>= 2.14) +virtual awk: using mawk + mawk: libc6 (>= 2.14) - mawk: libc6 (>= 2.14) ->>> libc6 This patch sorts packages by name for Provides/Replaces processing, which seems to result in stable output. (If the above turns out not to be sufficient, one could also set the PERL_HASH_SEED and PERL_PERTURB_KEYS environment variables, documented in 'perlrun', to disable Perl's built-in randomization. Complexity attacks are not an issue as we control and trust all inputs.) |
||
---|---|---|
.. | ||
applications | ||
build-support | ||
common-updater | ||
data | ||
desktops | ||
development | ||
games | ||
misc | ||
os-specific | ||
pkgs-lib | ||
servers | ||
shells | ||
stdenv | ||
test | ||
tools | ||
top-level |