matrix-tuwunel: 1.6.1 -> 1.7.0

[r-ryantm]

Automatic update generated by nixpkgs-update tools. This update was made based on information from passthru.updateScript.

meta.description for matrix-tuwunel is: Matrix homeserver written in Rust, official successor to conduwuit

meta.homepage for matrix-tuwunel is: https://github.com/matrix-construct/tuwunel

meta.changelog for matrix-tuwunel is: https://github.com/matrix-construct/tuwunel/releases/tag/v1.7.0

Updates performed

• Ran passthru.UpdateScript

To inspect upstream changes

Impact

Checks done

---

• built on NixOS
• The tests defined in passthru.tests, if any, passed
• found 1.7.0 with grep in /nix/store/4sr4zswl8dh6imvbqzwpabsplaj63hb0-matrix-tuwunel-1.7.0
• found 1.7.0 in filename of file in /nix/store/4sr4zswl8dh6imvbqzwpabsplaj63hb0-matrix-tuwunel-1.7.0

---

Rebuild report (if merged into master) (click to expand)

2 total rebuild path(s)

2 package rebuild(s)

First fifty rebuilds by attrpath

matrix-tuwunel

Instructions to test this update (click to expand)

---

Either download from the cache:

nix-store -r /nix/store/4sr4zswl8dh6imvbqzwpabsplaj63hb0-matrix-tuwunel-1.7.0 \
  --option binary-caches 'https://cache.nixos.org/ https://nixpkgs-update-cache.nix-community.org/' \
  --option trusted-public-keys '
  nixpkgs-update-cache.nix-community.org-1:U8d6wiQecHUPJFSqHN9GSSmNkmdiFW7GW7WNAnHW0SM=
  cache.nixos.org-1:6NCHdD59X431o0gWypbMrAURkbJ16ZPMQFGspcDShjY=
  '

(The nixpkgs-update cache is only trusted for this store-path realization.)
For the cached download to work, your user must be in the trusted-users list or you can use sudo since root is effectively trusted.

Or, build yourself:

nix-build -A matrix-tuwunel https://github.com/r-ryantm/nixpkgs/archive/556d06edc30595359d51064822b2378a5ed4bc32.tar.gz

Or:

nix build github:r-ryantm/nixpkgs/556d06edc30595359d51064822b2378a5ed4bc32#matrix-tuwunel

After you've downloaded or built it, look at the files and if there are any, run the binaries:

ls -la /nix/store/4sr4zswl8dh6imvbqzwpabsplaj63hb0-matrix-tuwunel-1.7.0
ls -la /nix/store/4sr4zswl8dh6imvbqzwpabsplaj63hb0-matrix-tuwunel-1.7.0/bin

---

Pre-merge build results

We have automatically built all packages that will get rebuilt due to
this change.

This gives evidence on whether the upgrade will break dependent packages.
Note sometimes packages show up as failed to build independent of the
change, simply because they are already broken on the target branch.

nixpkgs-review result

Generated using nixpkgs-review.

Command: nixpkgs-review --extra-nixpkgs-config '{ allowBroken = false; }'
Commit: 556d06edc30595359d51064822b2378a5ed4bc32

---

x86_64-linux

✅ 1 package built:

• matrix-tuwunel

---

Maintainer pings

cc @scvalex for testing.

Tip

As a maintainer, if your package is located under pkgs/by-name/*, you can comment @NixOS/nixpkgs-merge-bot merge to automatically merge this update using the nixpkgs-merge-bot.

[scvalex]

This fails to build for me with:

error: hash mismatch in fixed-output derivation '/nix/store/pb0hkb5n7aldji7m24cpkly8br8lvxnf-matrix-tuwunel-1.7.0-vendor-staging.drv':
         specified: sha256-czCKzV/DCMJK0sN/jP5Jo98Zdii9DIAGAVnFnK0YtmY=
            got:    sha256-TAupXnAjpYU3afRb2oBRhmndgN0+EJJiKoivW8CTuVk=
error: Cannot build '/nix/store/jm1433xri42bqgs3gs31wgd731nps157-matrix-tuwunel-1.7.0-vendor.drv'.
       Reason: 1 dependency failed.
       Output paths:
         /nix/store/0w9yq8cm8d2h1na2qgifhrfbzxzs89i8-matrix-tuwunel-1.7.0-vendor
error: Cannot build '/nix/store/hkfss4my67q8ghp3phbg35bkyac48fyk-matrix-tuwunel-1.7.0.drv'.
       Reason: 1 dependency failed.
       Output paths:
         /nix/store/4sr4zswl8dh6imvbqzwpabsplaj63hb0-matrix-tuwunel-1.7.0

Weirdly enough, if I rebase this commit on top of the latest master, the expected checksum changes:

         specified: sha256-czCKzV/DCMJK0sN/jP5Jo98Zdii9DIAGAVnFnK0YtmY=
            got:    sha256-9tKdb/D2++c/lM7CxtS9fVOFLUsZ6j9SepC8mp8uKxw=

I have never seen this before.

[scvalex]

I think we're hitting the same problem as the Cosmic DE version bump in #524670 and this should hopefully be fixed in #525255.

What I think is happening is:

• tuwunel has some git deps,
• the Cargo machinery in nixpkgs tries to fetch those git deps as part of the -vendor derivation,
• a git update in nixpkgs has made it so that git now runs some background tasks during clones,
• these background tasks may or may not finish while the build is running leading to different files on disk on different hosts,
• the fix is to disable the background tasks which is what the PR above does.

Copying the patch from the #525255 on top of this PR makes the build succeed locally for me. This leads me to think the hash in this PR is the correct one and my machine had the non-deterministically bad clone.

I'm going to deploy this to my server and approve afterwards.

[scvalex]

Changes look good. I deployed to my server and everything seems to be working (including the database migrations that were broken in 1.6.2).

I'm going to backport this to 26.05 tomorrow. I want to wait a day because I don't want to test whether backports work on release day.

[scvalex]

@NixOS/nixpkgs-merge-bot merge

[nixpkgs-ci]

@scvalex wants to merge this PR.

Requirements to merge this PR with @NixOS/nixpkgs-merge-bot merge:

• ✅ PR targets a development branch.
• ✅ PR touches only files of packages in pkgs/by-name/.
• ✅ PR is at least one of:
  • ⬜ Approved by a committer.
  • ⬜ Backported via label.
  • ⬜ Opened by a committer.
  • ✅ Opened by @r-ryantm.
• ✅ PR is not a draft
• ✅ scvalex is a member of @NixOS/nixpkgs-maintainers.
• ✅ scvalex is a maintainer of all touched packages on the master branch.

✔️ Queued for merge (#306934)

[nixpkgs-ci]

Successfully created backport PR for release-26.05:

• [Backport release-26.05] matrix-tuwunel: 1.6.1 -> 1.7.0 #526252

[PedroHLC]

aarch64-linux build seems to get stuck in Compiling tuwunel v1.7.0.

I was able to reproduce Hydra's result: https://hydra.nixos.org/build/330696187/nixlog/1

Probably not worth escalating it if I'm the only one affected.

[scvalex]

Huh. I built it locally on aarch64-linux without issue issue when I merged this.

 Compiling tuwunel v1.7.0 (/build/source/src/main)

This is the step that always takes the longest in the build. On Hetzner's smallest ARM64 VM, it takes about 4h to complete.

I am traveling at the moment, so I won't have a chance to do any debugging until this weekend.

[PedroHLC]

Ok, yes, it took some hours, but if you watch the processes you see some tests running taking more than 10min each, eventually it finished.

[scvalex]

I'm looking at this now and Hydra hasn't tried to rebuild.

We can see that it built 1.7.0 successfully on x86-64, but it timed out after 4h on aarch64. It was building 1.6.1 successfully in about 30min and I have no reason to expect it would need significantly longer for 1.7.0.

I am mildly tempted to disable the tests on aarch64. Presumably the thing that's hanging is tuwunel's built-in smoke tests, but we already exercise that with NixOS tests that run the server. I also don't know why the smoke tests would be behaving differently on hydra than on my laptop.