Force explicit nixpkgs

[guibou]

This closes #24 by forcing an explicit nixpkgs clone.

• If the user provides no nix_file, and no path or repository, it fails with a bazel error
• If the user provides a nix_file, there is no solution to detect if the file is indeed using a pinned nixpkgs clone. We just override NIX_PATH to an invalid path and hop for the best

I'm not happy with the way I'm abusing NIX_PATH to write an error message. Any better idea?

[mboes]

The spirit of what you want is simple: NIX_PATH should never be inherited. So if you change the code to do exactly that, it'll become simpler than what's currently there.

• If path is set, set NIX_PATH accordingly.
• If repository is set, set NIX_PATH accordingly.
• If neither, set NIX_PATH to empty (or in fact don't set it all - that probably works too).

With your current patch, hermeticity is not completely ensured. Because (quoting from the nix-build man page):

Add a path to the Nix expression search path. [...] Paths added through -I take precedence over NIX_PATH.

[mboes]

Why do this? Setting NIX_PATH= (i.e. to the empty string) works equally well.

[guibou]

Yes, but there is no clear if user provides a nix-file with implicit nixpkgs.

Compare, with this complex NIX_PATH:

[nix-shell:~/tweag/rules_nixpkgs]$ bazel test //...
INFO: Build options have changed, discarding analysis cache.
warning: Nix search path entry 'implicit nixpkgs value is disabled for hermeticity reason. Please set either 'path' or 'repository' in your rule OR set a 'nix_file' or 'nix_file_content' which explicitly fetch a pinned nixpkgs' does not exist, ignoring
error: file 'nixpkgs' was not found in the Nix search path (add it using $NIX_PATH or -I), at (string):1:19
ERROR: /home/guillaume/tweag/rules_nixpkgs/tests/BUILD:3:2: no such package '@expr-test//': Cannot build Nix attribute expr-test.
stdout:


stderr:
warning: Nix search path entry 'implicit nixpkgs value is disabled for hermeticity reason. Please set either 'path' or 'repository' in your rule OR set a 'nix_file' or 'nix_file_content' which explicitly fetch a pinned nixpkgs' does not exist, ignoring
error: file 'nixpkgs' was not found in the Nix search path (add it using $NIX_PATH or -I), at (string):1:19

 and referenced by '//tests:run-expr-test'
ERROR: Analysis of target '//tests:run-expr-test' failed; build aborted: no such package '@expr-test//': Cannot build Nix attribute expr-test.
stdout:


stderr:
warning: Nix search path entry 'implicit nixpkgs value is disabled for hermeticity reason. Please set either 'path' or 'repository' in your rule OR set a 'nix_file' or 'nix_file_content' which explicitly fetch a pinned nixpkgs' does not exist, ignoring
error: file 'nixpkgs' was not found in the Nix search path (add it using $NIX_PATH or -I), at (string):1:19

INFO: Elapsed time: 0.617s
INFO: 0 processes.
FAILED: Build did NOT complete successfully (4 packages loaded)
FAILED: Build did NOT complete successfully (4 packages loaded)

With empty NIX_PATH:

[nix-shell:~/tweag/rules_nixpkgs]$ bazel test //...
INFO: Build options have changed, discarding analysis cache.
error: file 'nixpkgs' was not found in the Nix search path (add it using $NIX_PATH or -I), at (string):1:19
ERROR: /home/guillaume/tweag/rules_nixpkgs/tests/BUILD:3:2: no such package '@expr-test//': Cannot build Nix attribute expr-test.
stdout:


stderr:
error: file 'nixpkgs' was not found in the Nix search path (add it using $NIX_PATH or -I), at (string):1:19

 and referenced by '//tests:run-expr-test'
ERROR: Analysis of target '//tests:run-expr-test' failed; build aborted: no such package '@expr-test//': Cannot build Nix attribute expr-test.
stdout:


stderr:
error: file 'nixpkgs' was not found in the Nix search path (add it using $NIX_PATH or -I), at (string):1:19

INFO: Elapsed time: 1.300s
INFO: 0 processes.
FAILED: Build did NOT complete successfully (4 packages loaded)
FAILED: Build did NOT complete successfully (4 packages loaded)

[mboes]

This is like using 0 as an error value instead of a Maybe type, or Verisign replacing all "Domain not found" errors with Site Finder. a) we should not be in the business of abusing environment variables meant for structured input to the Nix interpreter as unstructured output to the user. b) we should not assume that users can't follow a structured debugging process. Give them good documentation and get out of their way.

[guibou]

Ok.

[guibou]

I agree that the solution is hackish, but I rather prefer that than an error with limited details.

[mboes]

Simplify the error message:

One of 'path' or 'repository' must be provided. The NIX_PATH environment variable is not inherited.

[guibou]

But what about nix_file which point to a pinned repository. User have the right to do that and the error message should tell them, no?

[mboes]

Then adjust the error message accordingly.

One of 'path', 'repository', nix_file or nix_file_content must be provided. The NIX_PATH environment variable is not inherited.

Error messages should be pithy, to the point and assume as little about what the user is doing as possible.

[mboes]

Use De Morgan's law for a more readable guard.

[guibou]

I disagree about readability, but I'm sure that's a matter of personal taste, I'll follow yours for that one.

[guibou]

@mboes I addressed the points of your review, please have a new look.

Done

[guibou]

@mboes I addressed your review, added a CHANGELOG entry and updated the documentation.