From f373ecec8f49b24c3070ab4f66a680bee06980a5 Mon Sep 17 00:00:00 2001
From: zimbatm <zimbatm@zimbatm.com>
Date: Sat, 28 Dec 2019 20:36:42 +0000
Subject: [PATCH] buildGoModule: support impure modules (#76532)

When modSha256 is null, disable the nix sandbox instead of using a
fixed-output derivation. This requires the nix-daemon to have
`sandbox = relaxed` set in their config to work properly.

Because the output is (hopefully) deterministic based on the inputs,
this should give a reproducible output. This is useful for development
outside of nixpkgs where re-generating the modSha256 on each mod.sum
changes is cumbersome.

Don't use this in nixpkgs! This is why null is not the default value.
---
 doc/languages-frameworks/go.xml                |  9 +++++++++
 .../development/go-modules/generic/default.nix | 18 ++++++++++++++----
 2 files changed, 23 insertions(+), 4 deletions(-)

diff --git a/doc/languages-frameworks/go.xml b/doc/languages-frameworks/go.xml
index bd1ee8eba27..53c891e66f8 100644
--- a/doc/languages-frameworks/go.xml
+++ b/doc/languages-frameworks/go.xml
@@ -66,6 +66,15 @@ pet = buildGoModule rec {
     </callout>
    </calloutlist>
   </para>
+
+  <para>
+    <varname>modSha256</varname> can also take <varname>null</varname> as an input.
+
+    When `null` is used as a value, the derivation won't be a
+    fixed-output derivation but disable the build sandbox instead. This can be useful outside
+    of nixpkgs where re-generating the modSha256 on each mod.sum changes is cumbersome,
+    but will fail to build by Hydra, as builds with a disabled sandbox are discouraged.
+  </para>
  </section>
 
  <section xml:id="ssec-go-legacy">
diff --git a/pkgs/development/go-modules/generic/default.nix b/pkgs/development/go-modules/generic/default.nix
index b3c583da51e..1bffb71e8f9 100644
--- a/pkgs/development/go-modules/generic/default.nix
+++ b/pkgs/development/go-modules/generic/default.nix
@@ -14,6 +14,10 @@
 , modRoot ? "./"
 
 # modSha256 is the sha256 of the vendored dependencies
+#
+# CAUTION: if `null` is used as a value, the derivation won't be a
+# fixed-output derivation but disable the build sandbox instead. Don't use
+# this in nixpkgs as Hydra won't build those packages.
 , modSha256
 
 # We want parallel builds by default
@@ -84,10 +88,16 @@ let
     '';
 
     dontFixup = true;
-    outputHashMode = "recursive";
-    outputHashAlgo = "sha256";
-    outputHash = modSha256;
-  }; in modArgs // overrideModAttrs modArgs);
+  }; in modArgs // (
+    if modSha256 == null then
+      { __noChroot = true; }
+    else
+      {
+        outputHashMode = "recursive";
+        outputHashAlgo = "sha256";
+        outputHash = modSha256;
+      }
+  ) // overrideModAttrs modArgs);
 
   package = go.stdenv.mkDerivation (args // {
     nativeBuildInputs = [ removeReferencesTo go ] ++ nativeBuildInputs;