buildRustPackage: add verifyCargoDeps option

One issue with cargoSha256 is that it's hard to detect when it needs to
be updated or not. It's possible to upgrade a package and forget to
update cargoSha256 and run with old versions of the program or
libraries.

This commit introduces `verifyCargoDeps` which, when enabled, will check
that the Cargo.lock is not out of date in the cargoDeps by comparing it
with the package source.

doc/languages-frameworks/rust.section.md

@@ -43,6 +43,7 @@ rustPlatform.buildRustPackage rec {
   };
 
   cargoSha256 = "0q68qyl2h6i0qsz82z840myxlnjay8p1w5z7hfyr8fqp7wgwa9cx";
+  verifyCargoDeps = true;
 
   meta = with stdenv.lib; {
     description = "A fast line-oriented regex search tool, similar to ag and ack";
@@ -64,6 +65,9 @@ When the `Cargo.lock`, provided by upstream, is not in sync with the
 added in `cargoPatches` will also be prepended to the patches in `patches` at
 build-time.
 
+When `verifyCargoDeps` is set to `true`, the build will also verify that the
+`cargoSha256` is not out of date by comparing the `Cargo.lock` file in both the `cargoDeps` and `src`. Note that this option changes the value of `cargoSha256` since it also copies the `Cargo.lock` in it. To avoid breaking backward-compatibility this option is not enabled by default but hopefully will be in the future.
+
 ## Compiling Rust crates using Nix instead of Cargo
 
 ### Simple operation

pkgs/build-support/rust/default.nix

@@ -13,6 +13,9 @@
 , cargoUpdateHook ? ""
 , cargoDepsHook ? ""
 , cargoBuildFlags ? []
+, # Set to true to verify if the cargo dependencies are up to date.
+  # This will change the value of cargoSha256.
+  verifyCargoDeps ? false
 , buildType ? "release"
 , meta ? {}
 
@@ -26,6 +29,7 @@ let
   cargoDeps = if cargoVendorDir == null
     then fetchcargo {
         inherit name src srcs sourceRoot cargoUpdateHook;
+        copyLockfile = verifyCargoDeps;
         patches = cargoPatches;
         sha256 = cargoSha256;
       }
@@ -95,6 +99,21 @@ stdenv.mkDerivation (args // {
 
     unset cargoDepsCopy
     export RUST_LOG=${logLevel}
+  '' + stdenv.lib.optionalString verifyCargoDeps ''
+    if ! diff source/Cargo.lock $cargoDeps/Cargo.lock ; then
+      echo
+      echo "ERROR: cargoSha256 is out of date."
+      echo
+      echo "Cargo.lock is not the same in $cargoDeps."
+      echo
+      echo "To fix the issue:"
+      echo '1. Use "1111111111111111111111111111111111111111111111111111" as the cargoSha256 value'
+      echo "2. Build the derivation and wait it to fail with a hash mismatch"
+      echo "3. Copy the 'got: sha256:' value back into the cargoSha256 field"
+      echo
+
+      exit 1
+    fi
   '' + (args.postUnpack or "");
 
   configurePhase = args.configurePhase or ''

pkgs/build-support/rust/fetchcargo.nix

@@ -17,7 +17,16 @@ let cargo-vendor-normalise = stdenv.mkDerivation {
   preferLocalBuild = true;
 };
 in
-{ name ? "cargo-deps", src, srcs, patches, sourceRoot, sha256, cargoUpdateHook ? "" }:
+{ name ? "cargo-deps"
+, src
+, srcs
+, patches
+, sourceRoot
+, sha256
+, cargoUpdateHook ? ""
+, # whenever to also include the Cargo.lock in the output
+  copyLockfile ? false
+}:
 stdenv.mkDerivation {
   name = "${name}-vendor";
   nativeBuildInputs = [ cacert git cargo-vendor-normalise cargo ];
@@ -37,6 +46,9 @@ stdenv.mkDerivation {
         exit 1
     fi
 
+    # Keep the original around for copyLockfile
+    cp Cargo.lock Cargo.lock.orig
+
     export CARGO_HOME=$(mktemp -d cargo-home.XXX)
     CARGO_CONFIG=$(mktemp cargo-config.XXXX)
 
@@ -52,6 +64,10 @@ stdenv.mkDerivation {
     if ! cmp $CARGO_CONFIG ${./fetchcargo-default-config.toml} > /dev/null; then
       install -D $CARGO_CONFIG $out/.cargo/config;
     fi;
+
+  '' + stdenv.lib.optionalString copyLockfile ''
+    # add the Cargo.lock to allow hash invalidation
+    cp Cargo.lock.orig $out/Cargo.lock
   '';
 
   outputHashAlgo = "sha256";