[PATCH] Add dontFixup=true to derivations that build images

[PATCH] Add dontFixup=true to derivations that build images

[Demi Marie Obenour]

This prevents lengthy and pointless scans of large image files.
dontFixup is added to the derivations that already used
unsafeDiscardReferences.  Both dontFixup and unsafeDiscardReferences are
added to a derivation that builds an ext4 filesystem image.

Signed-off-by: Demi Marie Obenour <demiobenour@gmail.com>
---
 host/initramfs/default.nix             | 3 +++
 host/rootfs/default.nix                | 1 +
 img/app/default.nix                    | 2 ++
 release/checks/integration/default.nix | 2 ++
 release/combined/default.nix           | 3 +++
 release/combined/eosimages.nix         | 1 +
 release/live/default.nix               | 2 ++
 vm-lib/make-vm.nix                     | 1 +
 vm/sys/net/default.nix                 | 2 ++
 9 files changed, 17 insertions(+)

diff --git a/host/initramfs/default.nix b/host/initramfs/default.nix
index a3672bfeb7002f81bf67bfc13c0b757d46b93d66..51305a7da1645ca63f1c9b2f07a15aa0d5659ff2 100644
--- a/host/initramfs/default.nix
+++ b/host/initramfs/default.nix
@@ -63,6 +63,7 @@ let
     nativeBuildInputs = [ cpio ];
     __structuredAttrs = true;
     unsafeDiscardReferences = { out = true; };
+    dontFixup = true;
   } ''
     cpio -id < ${microcodeAmd}/amd-ucode.img
     cpio -id < ${microcodeIntel}/intel-ucode.img
@@ -82,6 +83,7 @@ let
 
     __structuredAttrs = true;
     unsafeDiscardReferences = { out = true; };
+    dontFixup = true;
   } ''
     cd ${packagesSysroot}
     (printf "%s\n" "''${storePrefixes[@]}" && find . $(< $storePaths)) |
@@ -118,6 +120,7 @@ stdenvNoCC.mkDerivation {
   __structuredAttrs = true;
 
   unsafeDiscardReferences = { out = true; };
+  dontFixup = true;
 
   passthru = { inherit packagesSysroot; };
 }
diff --git a/host/rootfs/default.nix b/host/rootfs/default.nix
index 484a43f372f934e6b3be0c383d12c9eabf2f7171..1673a83e9d70da6f22fa71c4a79e0eaeff309fc2 100644
--- a/host/rootfs/default.nix
+++ b/host/rootfs/default.nix
@@ -195,6 +195,7 @@ stdenvNoCC.mkDerivation {
   __structuredAttrs = true;
 
   unsafeDiscardReferences = { out = true; };
+  dontFixup = true;
 
   passthru = {
     inherit appvm firmware kernel nixosAllHardware packagesSysroot pkgsGui;
diff --git a/img/app/default.nix b/img/app/default.nix
index 2863cbdfc067c8a6de018e5f0920d00878cf96ff..5cd381e837db3057590c075cf2b33a486cc188bc 100644
--- a/img/app/default.nix
+++ b/img/app/default.nix
@@ -134,6 +134,8 @@ stdenvNoCC.mkDerivation {
 
   unsafeDiscardReferences = { out = true; };
 
+  dontFixup = true;
+
   meta = with lib; {
     license = licenses.eupl12;
     platforms = platforms.linux;
diff --git a/release/checks/integration/default.nix b/release/checks/integration/default.nix
index 570918613e083b0c2d7c82486544b6405ae5ea89..582a4be8df3098ddaf318b7dac60690c2f8b2304 100644
--- a/release/checks/integration/default.nix
+++ b/release/checks/integration/default.nix
@@ -37,6 +37,8 @@ let
 
   userData = runCommand "user-data.img" {
     nativeBuildInputs = [ e2fsprogs tar2ext4 ];
+    unsafeDiscardReferences = true;
+    dontFixup = true;
   } ''
     tar -Pcvf root.tar \
         --transform=s,^${appimage},test.appimage, ${appimage} \
diff --git a/release/combined/default.nix b/release/combined/default.nix
index 5c917951f845ee94871a0532f3145493f8ee06ba..cb64f34bef9c397014d7303da39497e1216a2a62 100644
--- a/release/combined/default.nix
+++ b/release/combined/default.nix
@@ -31,6 +31,7 @@ let
     nativeBuildInputs = [ squashfs-tools-ng ];
     __structuredAttrs = true;
     unsafeDiscardReferences = { out = true; };
+    dontFixup = true;
   } ''
     sed 's,^${storeDir}/,,' ${writeClosure [ installer.store ]} |
         tar -C ${storeDir} -c --verbatim-files-from -T - \
@@ -64,6 +65,7 @@ let
     __structuredAttrs = true;
 
     unsafeDiscardReferences = { out = true; };
+    dontFixup = true;
 
     passthru = { inherit grubCfg; };
   } ''
@@ -91,6 +93,7 @@ runCommand "spectrum-installer" {
   nativeBuildInputs = [ grub jq util-linux systemdMinimal ];
   __structuredAttrs = true;
   unsafeDiscardReferences = { out = true; };
+  dontFixup = true;
   passthru = { inherit eosimages esp installer rootfs; };
 } ''
   blockSize() {
diff --git a/release/combined/eosimages.nix b/release/combined/eosimages.nix
index 351265bbd54a04b1c1fd3aa6f4c23dad57bd4395..0ac4c48374e7098a2b91f61fc07cebb2042ffbdc 100644
--- a/release/combined/eosimages.nix
+++ b/release/combined/eosimages.nix
@@ -10,6 +10,7 @@ runCommand "eosimages.img" {
   image = callSpectrumPackage ../live {};
   __structuredAttrs = true;
   unsafeDiscardReferences = { out = true; };
+  dontFixup = true;
 } ''
   mkdir dir
   cd dir
diff --git a/release/live/default.nix b/release/live/default.nix
index 7a856149de4c736fd850fa37b9f09db9715007a0..5320ce0ecbd7e8912d91f725327a4cfd3d456a54 100644
--- a/release/live/default.nix
+++ b/release/live/default.nix
@@ -63,6 +63,8 @@ stdenv.mkDerivation {
 
   unsafeDiscardReferences = { out = true; };
 
+  dontFixup = true;
+
   passthru = { inherit initramfs rootfs; };
 }
 ) (_: {})
diff --git a/vm-lib/make-vm.nix b/vm-lib/make-vm.nix
index 0812b8ea53404c620829fc79bb61005e0bc75b8d..ea7ace99034029325405bd237b8fd50e071bb358 100644
--- a/vm-lib/make-vm.nix
+++ b/vm-lib/make-vm.nix
@@ -31,6 +31,7 @@ runCommand "spectrum-vm" {
   __structuredAttrs = true;
 
   unsafeDiscardReferences = { out = true; };
+  dontFixup = true;
 } ''
   mkdir -p $out/{blk,fs,providers}
   pushd "$out"
diff --git a/vm/sys/net/default.nix b/vm/sys/net/default.nix
index b8dc964dd75eccf230cac285dd2a32e7fd75dc9a..478545d2680025a99c2032689c6cc7011dc851c8 100644
--- a/vm/sys/net/default.nix
+++ b/vm/sys/net/default.nix
@@ -132,6 +132,8 @@ stdenvNoCC.mkDerivation {
 
   unsafeDiscardReferences = { out = true; };
 
+  dontFixup = true;
+
   passthru = { inherit firmware kernel packagesSysroot; };
 
   meta = with lib; {

---
base-commit: db54efac07deee32f39bdec4e4b8b73674df18c7
change-id: 20251025-dont-fixup-5389ba1b0b7f

-- 
Sincerely,
Demi Marie Obenour (she/her/hers)

Re: [PATCH] Add dontFixup=true to derivations that build images

[Alyssa Ross]

[-- Attachment #1: Type: text/plain, Size: 2017 bytes --]

Demi Marie Obenour <demiobenour@gmail.com> writes:

> This prevents lengthy and pointless scans of large image files.
> dontFixup is added to the derivations that already used
> unsafeDiscardReferences.  Both dontFixup and unsafeDiscardReferences are
> added to a derivation that builds an ext4 filesystem image.
>
> Signed-off-by: Demi Marie Obenour <demiobenour@gmail.com>
> ---
>  host/initramfs/default.nix             | 3 +++
>  host/rootfs/default.nix                | 1 +
>  img/app/default.nix                    | 2 ++
>  release/checks/integration/default.nix | 2 ++
>  release/combined/default.nix           | 3 +++
>  release/combined/eosimages.nix         | 1 +
>  release/live/default.nix               | 2 ++
>  vm-lib/make-vm.nix                     | 1 +
>  vm/sys/net/default.nix                 | 2 ++
>  9 files changed, 17 insertions(+)

Good idea!

> diff --git a/release/checks/integration/default.nix b/release/checks/integration/default.nix
> index 570918613e083b0c2d7c82486544b6405ae5ea89..582a4be8df3098ddaf318b7dac60690c2f8b2304 100644
> --- a/release/checks/integration/default.nix
> +++ b/release/checks/integration/default.nix
> @@ -37,6 +37,8 @@ let
>  
>    userData = runCommand "user-data.img" {
>      nativeBuildInputs = [ e2fsprogs tar2ext4 ];
> +    unsafeDiscardReferences = true;
> +    dontFixup = true;
>    } ''
>      tar -Pcvf root.tar \
>          --transform=s,^${appimage},test.appimage, ${appimage} \

This is not correct, because 1) unsafeDiscardReferences is an attribute
set; 2) it doesn't do anything without __structuredAttrs.

https://nix.dev/manual/nix/2.26/language/advanced-attributes#adv-attr-unsafeDiscardReferences

So I'm going to make a standalone commit first that adds
__structuredAttrs and unsafeDiscardReferences here, and then apply the
rest of this.  I'll also tweak it to group __structuredAttrs,
unsafeDiscardReferences, and dontFixup, so it's clear they should be
applied together if being copied.

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 227 bytes --]

Re: [PATCH] Add dontFixup=true to derivations that build images

[Alyssa Ross]

This patch has been committed as b1bb4e5050b09a8edcafc0cf1b1b9c9ab42832bc,
which can be viewed online at
https://spectrum-os.org/git/spectrum/commit/?id=b1bb4e5050b09a8edcafc0cf1b1b9c9ab42832bc.

This is an automated message.  Send comments/questions/requests to:
Alyssa Ross <hi@alyssa.is>

Re: [PATCH] Add dontFixup=true to derivations that build images

[Demi Marie Obenour]

[-- Attachment #1.1.1: Type: text/plain, Size: 2243 bytes --]

On 10/28/25 08:57, Alyssa Ross wrote:
> Demi Marie Obenour <demiobenour@gmail.com> writes:
> 
>> This prevents lengthy and pointless scans of large image files.
>> dontFixup is added to the derivations that already used
>> unsafeDiscardReferences.  Both dontFixup and unsafeDiscardReferences are
>> added to a derivation that builds an ext4 filesystem image.
>>
>> Signed-off-by: Demi Marie Obenour <demiobenour@gmail.com>
>> ---
>>  host/initramfs/default.nix             | 3 +++
>>  host/rootfs/default.nix                | 1 +
>>  img/app/default.nix                    | 2 ++
>>  release/checks/integration/default.nix | 2 ++
>>  release/combined/default.nix           | 3 +++
>>  release/combined/eosimages.nix         | 1 +
>>  release/live/default.nix               | 2 ++
>>  vm-lib/make-vm.nix                     | 1 +
>>  vm/sys/net/default.nix                 | 2 ++
>>  9 files changed, 17 insertions(+)
> 
> Good idea!

Thank you!

>> diff --git a/release/checks/integration/default.nix b/release/checks/integration/default.nix
>> index 570918613e083b0c2d7c82486544b6405ae5ea89..582a4be8df3098ddaf318b7dac60690c2f8b2304 100644
>> --- a/release/checks/integration/default.nix
>> +++ b/release/checks/integration/default.nix
>> @@ -37,6 +37,8 @@ let
>>  
>>    userData = runCommand "user-data.img" {
>>      nativeBuildInputs = [ e2fsprogs tar2ext4 ];
>> +    unsafeDiscardReferences = true;
>> +    dontFixup = true;
>>    } ''
>>      tar -Pcvf root.tar \
>>          --transform=s,^${appimage},test.appimage, ${appimage} \
> 
> This is not correct, because 1) unsafeDiscardReferences is an attribute
> set; 2) it doesn't do anything without __structuredAttrs.
> 
> https://nix.dev/manual/nix/2.26/language/advanced-attributes#adv-attr-unsafeDiscardReferences
> 
> So I'm going to make a standalone commit first that adds
> __structuredAttrs and unsafeDiscardReferences here, and then apply the
> rest of this.  I'll also tweak it to group __structuredAttrs,
> unsafeDiscardReferences, and dontFixup, so it's clear they should be
> applied together if being copied.

That worked great!  I should read the Nix manual next time.
-- 
Sincerely,
Demi Marie Obenour (she/her/hers)

[-- Attachment #1.1.2: OpenPGP public key --]
[-- Type: application/pgp-keys, Size: 7253 bytes --]

[-- Attachment #2: OpenPGP digital signature --]
[-- Type: application/pgp-signature, Size: 833 bytes --]