You can configure the hashing ccache uses to determine if the compiler changed. For developing a bootstrap, you might just use the compiler version, but for regular use you'd use the full path of the binary so it includes the nix hash. See compiler_check at http://ccache.samba.org/manual.html#_configuration_settings.
Other than that, ccache uses all the inputs to the compiler to determine the cache hash. Indeed, ccache needs to write to a shared cache so that could be poisoned. An option would be to run ccache setuid as someone else so that the poisoning can only be done by compiling a malicious payload in a way that the input hash clashes. On Tue Dec 09 2014 at 6:59:50 PM Shea Levy <[email protected]> wrote: > Also, presumably builds will have to have write access to the cache, which > means a malicious build can break things for other builds. > > On Dec 9, 2014, at 5:57 PM, Wout Mertens <[email protected]> wrote: > > I don't follow. It's a cache, so it always returns the same output for a > given set of inputs (compiler version, source files, preprocessor > settings). Its presence should be undetectable. > > The only impurity is that time taken to compile is dependent on previous > compiles, no? > > However, it is still useful for development but not if using it means > rebuilding the world on your laptop... So I'd like to at least offer the > option for development. > > Wout. > > On Tue Dec 09 2014 at 6:32:04 PM Shea Levy <[email protected]> wrote: > >> ccache is impure and thus should not be used for hydra. >> >> On Dec 9, 2014, at 5:28 PM, Wout Mertens <[email protected]> wrote: >> >> Hi all, >> >> there is some support for ccache in the tree but nothing in the way of >> documentation. I gave it a shot, see >> https://github.com/NixOS/nixpkgs/issues/2387#issuecomment-66215017, and >> it seems to work however it also changes the hash of stdenv. >> >> Is there a way to change stdenv so that ccache can be turned on or off >> without causing rebuilds? >> >> I'm convinced that this would be a major boon for Hydra, which probably >> spends a lot of time compiling the same C/C++ files with the same >> preprocessed output. Likewise for developing expressions. >> >> Wout. >> >> _______________________________________________ >> nix-dev mailing list >> [email protected] >> http://lists.science.uu.nl/mailman/listinfo/nix-dev >> >> >> >
_______________________________________________ nix-dev mailing list [email protected] http://lists.science.uu.nl/mailman/listinfo/nix-dev
