What are your thoughs about bringing Grafts to Nix?

[lucasew]

Question

Grafts are a way from Guix to bring fixes to packages that a lot of other packages depend on without having to rebuild the world basically.

What are your thoughs about bringing a equivalent feature to Nix?

[1] https://guix.gnu.org/blog/2020/grafts-continued/

Candidates I'd like to get an answer from

No response

Reminder of the Q&A rules

Please adhere to the Q&A guidelines and rules

[cafkafk]

We do in fact have replaceDependencies and replaceRuntimeDependencies, but my very shallow understanding of both of these is they have downsides that make them not at all equivalent. As I have outlined elsewhere, I think the graft system would likely be very useful, and as Delroth (the contributor on the front-line of dealing with the libwebp vulnerability) outlined in a post[1], these are useful, albeit slightly hacky tools for fast security mitigations.

[1]: The post in question https://delroth.net/posts/nixos-security-wishlist/

---

@doronbehar asked where to read more about this, there isn't a mention in the NixOS/Nixpkgs manual, or Nix reference, but you can read about it in the source code of nixpkgs

[tomberek]

Our current mechanisms are not very easy to use (try replacing a self-referential glibc!). But the idea is worth pursuing, I have a done a little bit myself. And so are the alternatives. I don't really see this as an either-or situation, so people should be free to pursue these developments independently.

[doronbehar]

We do in fact have replaceDependencies and replaceRuntimeDependencies

Could you please share an official documentation for that? I couldn't find any 😄 .

[winterqt]

I'm a big fan of Guix's ideas around UX/DX in general (despite implying the opposite in my candidacy doc ;)), and I think grafts would be a good thing to have. I've napkin-sketched some ideas for an implementation of them before, but it never really got off the ground. I would love for this to be done eventually.

[proofconstruction]

On the surface, this seems like a good idea. I can think of a few ways this might be implemented today, and it should be substantially easier still once content-addressed derivations land (handwaving some very important architectural assumptions, of course).

I invite anyone to submit an RFC for this! We could learn a lot from our Guix friends.

[Infinidoge]

Grafts are a useful tool that I think Nix could definitely use. (Mass rebuilds for a quick security fix is... suboptimal when it needs to be deployed quickly.) Whether a system exactly like grafts should be implemented, or whether it should be something more suited to Nix that is inspired by grafts, I can't say. But a system for small patches without rebuilding the entire tree is needed. Even if it can be technically incorrect package-wise, it will reach eventual consistency. (Plus users can opt-out and mass rebuild to their heart's content.)

[mschwaig]

As others have pointed out, we have functions with similar but not the same semantics, and these kind of mechanisms are useful, but also a bit hacky. It's definitively a topic where we should look at all the options.

One option to consider is more cleanly separating build-time and runtime-dependencies, as suggested here: NixOS/nix#1080.

PS: I am a big fan of the Build Systems à la Carte paper linked in that article you posted as well.