diff --git a/cmd/printdep/printdep.go b/cmd/printdep/printdep.go index 9597e0832..7d209489a 100644 --- a/cmd/printdep/printdep.go +++ b/cmd/printdep/printdep.go @@ -18,7 +18,6 @@ var ( goToolchain = flag.Bool("go", false, "print the supported Go toolchain git hash (a github.com/tailscale/go commit)") goToolchainURL = flag.Bool("go-url", false, "print the URL to the tarball of the Tailscale Go toolchain") - goToolchainSRI = flag.Bool("go-sri", false, "print the SRI hash of the Tailscale Go toolchain") alpine = flag.Bool("alpine", false, "print the tag of alpine docker image") ) @@ -48,7 +47,4 @@ func main() { } fmt.Printf("https://github.com/tailscale/go/releases/download/build-%s/%s%s.tar.gz\n", strings.TrimSpace(ts.GoToolchainRev), runtime.GOOS, suffix) } - if *goToolchainSRI { - fmt.Println(strings.TrimSpace(ts.GoToolchainSRI)) - } } diff --git a/flake.nix b/flake.nix index c87a5dec6..0ef1008c2 100644 --- a/flake.nix +++ b/flake.nix @@ -49,44 +49,6 @@ # doesn't build any software. fileContents = nixpkgs.legacyPackages.x86_64-linux.lib.fileContents; - tailscale-go-rev = fileContents ./go.toolchain.rev; - tailscale-go-sri = fileContents ./go.toolchain.sri; - - # pkgsWithTailscaleGo takes a nixpkgs package set, and replaces - # its Go 1.19 compiler with tailscale's fork. - # - # We need to do this because the buildGoModule helper function is - # constructed with legacy nix imports, so we cannot construct a - # buildGoModule variant that uses tailscale's toolchain. Instead, - # we have to replace the toolchain in nixpkgs, and let lazy - # evaluation propagate it into the nixpkgs instance of - # buildGoModule. - # - # This is a bit roundabout, but there doesn't seem to be a more - # elegant way of resolving the impedance mismatch between legacy - # nixpkgs style imports and flake semantics, unless upstream - # nixpkgs exposes the buildGoModule constructor func explicitly. - pkgsWithTailscaleGo = pkgs: pkgs.extend (final: prev: rec { - tailscale_go = prev.lib.overrideDerivation prev.go_1_20 (attrs: rec { - name = "tailscale-go-${version}"; - version = tailscale-go-rev; - src = pkgs.fetchFromGitHub { - owner = "tailscale"; - repo = "go"; - rev = tailscale-go-rev; - sha256 = tailscale-go-sri; - }; - nativeBuildInputs = attrs.nativeBuildInputs ++ [ pkgs.git ]; - # Remove dependency on xcbuild as that causes iOS/macOS builds to fail. - propagatedBuildInputs = []; - checkPhase = ""; - TAILSCALE_TOOLCHAIN_REV = tailscale-go-rev; - }); - # Override go_1_20 so that buildGo120Module below uses - # tailscale's toolchain as well. - go_1_20 = tailscale_go; - }); - # tailscaleRev is the git commit at which this flake was imported, # or the empty string when building from a local checkout of the # tailscale repo. @@ -100,7 +62,7 @@ # specify vendorSha256, and that sha changes any time we alter # go.mod. We don't want to force a nix dependency on everyone # hacking on Tailscale, so this flake is likely to have broken - # builds periodically until somoene comes through and manually + # builds periodically until someone comes through and manually # fixes them up. I sure wish there was a way to express "please # just trust the local go.mod, vendorSha256 has no benefit here", # but alas. @@ -131,27 +93,25 @@ # OS/CPU combos that nix supports, as well as a dev shell so that # "nix develop" and "nix-shell" give you a dev env. flakeForSystem = nixpkgs: system: let - upstreamPkgs = nixpkgs.legacyPackages.${system}; - pkgs = pkgsWithTailscaleGo upstreamPkgs; + pkgs = nixpkgs.legacyPackages.${system}; ts = tailscale pkgs; in { packages = { - tailscale-go = pkgs.tailscale-go; tailscale = ts; }; devShell = pkgs.mkShell { - packages = with upstreamPkgs; [ + packages = with pkgs; [ curl git gopls gotools graphviz perl - pkgs.tailscale_go + go_1_20 ]; }; }; in flake-utils.lib.eachDefaultSystem (system: flakeForSystem nixpkgs system); } -# nix-direnv cache busting line: sha256-afcuo/pcLnfFHYTViYi8rPM0ovnUuawuZ26cYhZ1hss= sha256-dhoXBuYV9lE+ssIK4i/TG4cFbzUKSOKnQP47qEEcvsQ= +# nix-direnv cache busting line: sha256-Y4HgqikudINw28LcX4EVONxmtR0CEGKM3M76ahzfuFY= diff --git a/go.mod.sri b/go.mod.sri index 8734adf1b..a4d0fc241 100644 --- a/go.mod.sri +++ b/go.mod.sri @@ -1 +1 @@ -sha256-dhoXBuYV9lE+ssIK4i/TG4cFbzUKSOKnQP47qEEcvsQ= +sha256-Y4HgqikudINw28LcX4EVONxmtR0CEGKM3M76ahzfuFY= diff --git a/go.toolchain.rev b/go.toolchain.rev index 3117a39a1..a22e1afee 100644 --- a/go.toolchain.rev +++ b/go.toolchain.rev @@ -1 +1 @@ -6a17f14c058e230cc620b72cf80099c2aa7f7335 +178d6bce616ceefcdd687341cb74d7d8868877a7 diff --git a/go.toolchain.sri b/go.toolchain.sri deleted file mode 100644 index d9129e716..000000000 --- a/go.toolchain.sri +++ /dev/null @@ -1 +0,0 @@ -sha256-afcuo/pcLnfFHYTViYi8rPM0ovnUuawuZ26cYhZ1hss= diff --git a/pull-toolchain.sh b/pull-toolchain.sh index 8bbf8dbb4..5aba28a6d 100755 --- a/pull-toolchain.sh +++ b/pull-toolchain.sh @@ -12,6 +12,6 @@ if [ "$upstream" != "$current" ]; then ./update-flake.sh fi -if [ -n "$(git diff-index --name-only HEAD -- go.toolchain.rev go.toolchain.sri go.mod.sri)" ]; then +if [ -n "$(git diff-index --name-only HEAD -- go.toolchain.rev go.mod.sri)" ]; then echo "pull-toolchain.sh: changes imported. Use git commit to make them permanent." >&2 fi diff --git a/shell.nix b/shell.nix index ca286d535..0fca08295 100644 --- a/shell.nix +++ b/shell.nix @@ -16,4 +16,4 @@ ) { src = ./.; }).shellNix -# nix-direnv cache busting line: sha256-afcuo/pcLnfFHYTViYi8rPM0ovnUuawuZ26cYhZ1hss= sha256-dhoXBuYV9lE+ssIK4i/TG4cFbzUKSOKnQP47qEEcvsQ= +# nix-direnv cache busting line: sha256-Y4HgqikudINw28LcX4EVONxmtR0CEGKM3M76ahzfuFY= diff --git a/tool/go b/tool/go index 1f31c21df..da8752446 100755 --- a/tool/go +++ b/tool/go @@ -58,14 +58,7 @@ get_cached() { rm -f "$archive.new" "$TOOLCHAIN.extracted" if [ ! -e "$archive" ]; then log "Need to download go '$REV'." - if [ "$ARCH" = "amd64" ]; then - # For historic reasons, the tailscale/go amd64 release artifacts don't - # have the arch in their name. - BUILD="$GOOS" - else - BUILD="$GOOS-$ARCH" - fi - curl -f -L -o "$archive.new" "https://github.com/tailscale/go/releases/download/build-${REV}/${BUILD}.tar.gz" + curl -f -L -o "$archive.new" "https://github.com/tailscale/go/releases/download/build-${REV}/${GOOS}-${ARCH}.tar.gz" rm -f "$archive" mv "$archive.new" "$archive" fi diff --git a/update-flake.sh b/update-flake.sh index 81fd73cc5..ed0784de5 100755 --- a/update-flake.sh +++ b/update-flake.sh @@ -8,11 +8,6 @@ REV=$(cat go.toolchain.rev) OUT=$(mktemp -d -t nar-hash-XXXXXX) rm -rf $OUT -mkdir $OUT -curl --silent -L https://github.com/tailscale/go/archive/refs/tags/build-$REV.tar.gz | tar -zx -C $OUT --strip-components 1 -go run tailscale.com/cmd/nardump --sri $OUT >go.toolchain.sri -rm -rf $OUT - go mod vendor -o $OUT go run tailscale.com/cmd/nardump --sri $OUT >go.mod.sri rm -rf $OUT @@ -21,5 +16,5 @@ rm -rf $OUT # result, when we change a referenced SRI file, we have to cause some # change to shell.nix and flake.nix as well, so that nix-direnv # notices and reevaluates everything. Sigh. -perl -pi -e "s,# nix-direnv cache busting line:.*,# nix-direnv cache busting line: $(cat go.toolchain.sri) $(cat go.mod.sri)," shell.nix -perl -pi -e "s,# nix-direnv cache busting line:.*,# nix-direnv cache busting line: $(cat go.toolchain.sri) $(cat go.mod.sri)," flake.nix +perl -pi -e "s,# nix-direnv cache busting line:.*,# nix-direnv cache busting line: $(cat go.mod.sri)," shell.nix +perl -pi -e "s,# nix-direnv cache busting line:.*,# nix-direnv cache busting line: $(cat go.mod.sri)," flake.nix diff --git a/version-embed.go b/version-embed.go index da2bb10ff..b65759310 100644 --- a/version-embed.go +++ b/version-embed.go @@ -17,9 +17,3 @@ // //go:embed go.toolchain.rev var GoToolchainRev string - -// GoToolchainSRI is the Nix SRI hash of the Go toolchain identified -// by GoToolchainRev. It may end in a newline. -// -//go:embed go.toolchain.sri -var GoToolchainSRI string