|
| 1 | +# Custom Go Nix Flake |
| 2 | + |
| 3 | +## Why a flake? |
| 4 | + |
| 5 | +Nix tends to be several minor versions behind Go's official releases. |
| 6 | + |
| 7 | +This posses chanllenges in two situations: |
| 8 | + |
| 9 | +1. When Go moves to a new majoer version |
| 10 | +1. When Go has a vulnerability on the current latest Nix version, fixed by a newer official release |
| 11 | + |
| 12 | +For major versions it is usually fine to wait for Nix to have a major version compilation avaiable for devbox to use. This is because, no matter how early we may want to upgrade, many go tools we depend on, such as licence checking or linting or Kubernetes libraries such as `controller-runtime`, usually need some time to catch up with the major release anyways. By the time they support the new major version, there is usually a Nix compilation of the new Go release, at least in the unstable channel. |
| 13 | + |
| 14 | +For minor versions, it can be more problematic. If the latest Nix available release is compromised, it mgiht take a few days or weeks for the new version to become available in Nix. On the other hand, Go only marks a vulnerable release after releasing the fixed version. |
| 15 | + |
| 16 | +In other words, we need to be able to move to the latest Go release as needed, specially to avoid vulvnerabilities within the same major version. |
| 17 | + |
| 18 | +## How |
| 19 | + |
| 20 | +The current flake in this directory will download and install the pre-compiled binaries straight from https://go.dev/dl, that is the official Go downloads site. It only supports 2 platforms: |
| 21 | +- `x86_64-linux` for the CI and Linux developers. |
| 22 | +- `aarch64-darwin` for developers working on MacOS. |
| 23 | + |
| 24 | +The flake derivation does not build anything, just unpacks and places the binaries where expected to be used by the resulting flake. |
| 25 | + |
| 26 | +## Updating |
| 27 | + |
| 28 | +The flake is pinned to a particular Go point release. To bump the downloaded binary you have to: |
| 29 | + |
| 30 | +1. Bump the `goVersion` variable. E.g. `goVersion = "1.25.3";` -> `goVersion = "1.25.4";` |
| 31 | +2. Replace both `sha256` variable values with the correct ones for the new downloaded file. |
| 32 | + |
| 33 | +One easy way to read the expected sha 256 hash to be used for each `sha-256` setting is to using `nix-prefetch-url` or `nix store prefetch-file --json` to grab the file and hash it. |
| 34 | + |
| 35 | +For example: |
| 36 | + |
| 37 | +```shell |
| 38 | +$ nix store prefetch-file --json https://go.dev/dl/go1.25.3.linux-amd64.tar.gz |jq -r .hash |
| 39 | +sha256-AzXzFLbnv+CMPQz6p8GduWG3uZ+yC+YrCoJsmSrRTg8= |
| 40 | +``` |
| 41 | + |
| 42 | +Make sure to use the correct architecture filename download to grab its corresponding sha 256 hash. |
| 43 | + |
| 44 | +## Testing |
| 45 | + |
| 46 | +Using `devbox shell` normally would already grab and build the flake, as referenced by devbox.json entry `"path:./flakes/go": {}`. Still if you want to test the flake buil in isolation you can run (in this directory): |
| 47 | + |
| 48 | +``shell |
| 49 | +nix build . |
| 50 | +``` |
| 51 | +
|
| 52 | +On success a `result` entry in teh directory soft links to the built flake. |
0 commit comments