Nix package for goa

[johannesloetzsch]

Tested subcommands:

• goa help
• goa build
• goa run
• goa import
• goa diff
• goa depot-dir
• goa build
• goa extract-abi-symbols
• goa run-dir
• goa backtrace
• goa export
• goa publish
• goa add-depot-user
• goa archive-versions

Tested examples:

• cmake_library
• cmake_step2
• hello_meson
• hello_posix
• index
• rust_debug
• cmake_sdl2
• external_rom
• hello_make
• hello_nasm
• hello_rust
• qt5_core
• vfs
• https://genodians.org/nfeske/2019-11-25-goa
• https://genodians.org/nfeske/2019-12-13-goa-unix-bash
• https://genodians.org/nfeske/2019-12-19-goa-unix-terminal
• https://genodians.org/nfeske/2019-12-22-goa-unix-pipes
• https://genodians.org/nfeske/2020-01-16-goa-publish

Other tasks:

• ci

[ssumpf]

I will install nix and try this out. A few questions: I see the nixpkgs-genode are provided by @zgzollers which looks a little bit like work in progress using Genode 23.11. What are the limitations there and how can it be updated to 24.10?

We should do something about the cross_dev_prefix. It can be already configured through the goarc file but is in this case architecture specific.

[johannesloetzsch]

I will install nix and try this out.

Thank you @ssumpf :)

updates

A few questions: I see the nixpkgs-genode are provided by @zgzollers which looks a little bit like work in progress using Genode 23.11. What are the limitations there and how can it be updated to 24.10?

I will take care about the update. And than document it here…

For the goa package, I only use the genode-toolchain, but not the full sources of genode.
The toolchain is taken from here.

According to https://genode.org/download/tool-chain and https://github.com/genodelabs/genode/releases, there is no official release of the pre-compiled toolchain since 23.05.
Would you recommend building the toolchain our self instead?

Unrelated to goa, you are right, that the wonderful @zgzollers nixpkgs-genode defaults to an older version of genode, when building the source-package. Here is defined, that Genode 24.02 (Commit 36a52c6) is used per default.
@zgzollers documented how to use another Genode source version instead of the default.
But sure, I am going to update the default and test building Genode 24.10. with nixpkgs-genode…

When you write, nixpkgs-genode would use Genode 23.11., you probably mixed it up with nixpkgs-genode using nixpkgs/nixos-23.11 (dependencies from nixpkgs in version from nixos release 23.11). This is just the host system used for building, updating it might not be that important.

cross_dev_prefix

We should do something about the cross_dev_prefix. It can be already configured through the goarc file but is in this case architecture specific.

Yes, that would be nice.

At the moment https://github.com/genodelabs/goa/blob/master/share/goa/lib/command_line.tcl#L406 contains a hardcoded link to /usr/local/genode/tool/23.05/bin.
The nix packet manager tries to avoid such hard coded paths. Instead nix installs packages in a path below /nix/store/${hash}-${package-name}/. This allows multiple instances of the same package (in this case genode-tools) to be installed in parallel.
For this reason, in the installPhase I patched the path, replacing the original hard coded path with the variable ${toolchain-bin}, which provides the directory in /nix/store/, where the dependency will be available.

[ssumpf]

@johannesloetzsch: Since you only use the toolchain (which is updated every 2 years right now) from nixpkg-genode, I have good news for you: In the near future the toolchain will be installed by goa automatically (see: jschlatow@025bd05) and hopefully in a Nix friendly way. So my suggestion is: The next goa release is 25.04 (it is currently in sync with Sculpt releases). Could we aim for this feature for 25.04 and wait until #99 is through to refine your commit?

[johannesloetzsch]

toolchain (which is updated every 2 years right now) from nixpkg-genode

👍 good to know

[…]
So my suggestion is: The next goa release is 25.04 (it is currently in sync with Sculpt releases). Could we aim for this feature for 25.04 and wait until #99 is through to refine your commit?

Absolutely, I see no urge. I would suggest the following next steps:

1. I continue testing the nix package. Once I'm happy, I change this PR draft into a real PR
2. @nfeske, @chelmuth and some of @c3d2 would like to have a workshop about genode+nix development. We could do so in one of the next weeks or in early 2025. If you @ssumpf would be interested, you would be very welcome to join.
3. further refinement can wait for Security considerations #99 and 25.04

[johannesloetzsch]

I have good news for you: In the near future the toolchain will be installed by goa automatically (see: jschlatow@025bd05) and hopefully in a Nix friendly way.

Oh nice, I like the plan of using bubblewrap for sandboxing the builds :)

Completely unrelated to this pull request, it get's me started envisioning possibilities of also sandboxing the goa run… @nfeske and I yesterday briefly spoke about the idea of using goa for „normal linux users“ to provide application bundles like flatpak/snap/appimage, but with the possibility of constraining individual components by the power of genode. It sounds very promising to me, however of cause is a completely other issue and would require to be very well-thought-out…

[johannesloetzsch]

For non-nix-users the idea of having goa install-toolchain sounds helpfull :)

Users of the nix-ecosystem usually prefer having their tools from a declarative provided and locked source, instead of downloading them imperatively. Having reproducible environments is no nice, once one get's used to it ;)

For me or whoever maintains a nix-package, this feature causes some additional work:
During build-phase of the nix-package, no internet access is allowed. Nix very much encourages pure builds in a sandbox, ensuring that build-artifacts only depend on the defined dependencies, but no other side effects (like IO from network or disk state). For this reason goa install-toolchain is nothing I would consider to call while building the nix package. Instead the nix-idiomatic solution is using a source-package with content ensured via a cryptographic hash.

Still the goa install-toolchain feature might have valuable use cases for nix users at runtime. It could be used for downloading an updated version of the toolchain independent of the version defined in the nix-package (even though updating the nixpkgs is basically changing 2 lines of configuration).

To support goa install-toolchain at nixos, additional effort is required either by the maintainers of the toolchain or by patching goa when building the nix package. The challenge is, that nix doesn't guaranty binaries to reside in /usr/bin or any other of the FHS default paths. The same is true for dynamic linked libraries.
So for software to work with nixos without patching, the software must not contain any hard coded paths (e.g. in the shebang lines).
When packaging for nix, in most cases automatic patching works fine. To do so, the nixpackage of the genode-toolchain requires only 1 line.

Once I have finished packaging and testing the current version of goa, I'm willing to look into supporting the new feature…

[ssumpf]

2. @nfeske, @chelmuth and some of @c3d2 would like to have a workshop about genode+nix development. We could do so in one of the next weeks or in early 2025. If you @ssumpf would be interested, you would be very welcome to join.

@johannesloetzsch: I certainly would be interested, but I have to know at least a month in advance because I am not in town that often any more.