bazel 7.1 -> 7.3

[flurie]

Description of changes

Bazel 7.1.2 -> 7.3.1

Things done

Walking through this in some detail:

• Take a built Bazel 7.3, patch it, and wrap it in FHS. I found just patching did not work, but I'm not sure if it needs both at once?
• Use bootstrap Bazel to vendor all deps with bazel vendor for a fixed-output derivation. Eliminate any parts that are not reproducible but do not affect the output.
• Build Bazel with as little change to the existing drv as possible. To prevent it from fetching things due to timestamps on the marker files, I pin every repo it has in VENDOR.bazel. To enable offline builds, we need to set --repository_disable_download, not --nofetch. Also, for some reason py_binary rules were building python zips, so I had to add --nobuild_python_zip.

More serious gaps:

• Haven't updated tests. I imagine those will change in the same way so it might be nice either to get out of the bootstrap first or have a single wrapper for the bootstrap that we can use to create Bazel offline drvs, maybe even replacing buildBazelPackage? One thing I don't know is how well bazel vendor performs when you aren't as all-in on bzlmod as Bazel's own build.
• Related to above issue, if bazel vendor is hard to use as a standard deps fetch more generally, should we consider keeping Bazel 7.3 as a separate package for now and moving forward with replacements for things that can use it? That's the only reason I have kept them separate for now.
• No darwin testing. But my understand is that the darwin build is already pretty broken/not practically usable, even though it builds?

• Built on platform(s)
  • x86_64-linux
  • aarch64-linux
  • x86_64-darwin
  • aarch64-darwin
• For non-Linux: Is sandboxing enabled in nix.conf? (See Nix manual)
  • sandbox = relaxed
  • sandbox = true
• Tested, as applicable:
  • NixOS test(s) (look inside nixos/tests)
  • and/or package tests
  • or, for functions and "core" functionality, tests in lib/tests or pkgs/test
  • made sure NixOS tests are linked to the relevant packages
• Tested compilation of all packages that depend on this change using nix-shell -p nixpkgs-review --run "nixpkgs-review rev HEAD". Note: all changes have to be committed, also see nixpkgs-review usage
• Tested basic functionality of all binary files (usually in ./result/bin/)
• 24.11 Release Notes (or backporting 23.11 and 24.05 Release notes)
  • (Package updates) Added a release notes entry if the change is major or breaking
  • (Module updates) Added a release notes entry if the change is significant
  • (Module addition) Added a release notes entry if adding a new NixOS module
• Fits CONTRIBUTING.md.

---

Add a 👍 reaction to pull requests you find important.

[flurie]

This is the only new patch introduced here. The others are all copied straight from the existing bazel_7 drv.

[flurie]

I'm going to hold off on the by-name migration until we come to a decision about whether or not to replace the existing bazel_7.

[emilazy]

Is the reason to have this as a separate package just getting fetching to work properly? If that can be solved it seems better to update the main Bazel package rather than carrying around multiple versions indefinitely.

Nits:

• Package name should be bazel_7_3.
• Commit message subject should be bazel_7_3: init at 7.3.0, or bazel: 7.1.2 -> 7.3.0 if it gets merged in (that way ofborg will build it in CI).

[flurie]

Is the reason to have this as a separate package just getting fetching to work properly? If that can be solved it seems better to update the main Bazel package rather than carrying around multiple versions indefinitely.

Thank you, I realize I didn't really provide any specifics here. Changing how deps are fetched shouldn't be a big deal normally, but we are giving up a good bit of control over resolution and fetching, and I don't fully trust that the new method will remain correct or stable over time. The previous method of fetching used to be able to resolve everything necessary to build the package outside of using Bazel directly. Unfortunately, some changes to how Bazel resolves deps broke our method of resolution and fetching essentially for good. This comment has a summary of the problem and links to a more detailed discussion.

Bazel does not guarantee reproducibility in its fetches, so using Bazel to fetch its deps means taking on some level of risk. I don't want to preclude that this is stable enough to use going forward, and I don't want a problem to mean that we no longer have a working Bazel 7 package. These concerns might not be enough to warrant having a separate package, but I wanted to make them known and get others' perspectives.

Nits:

* Package name should be `bazel_7_3`.

* Commit message subject should be `bazel_7_3: init at 7.3.0`, or `bazel: 7.1.2 -> 7.3.0` if it gets merged in (that way ofborg will build it in CI).

👍 I will make these changes if we end up sticking with a new package here.

[emilazy]

No worries, I’m not keeping track of Bazel so I’m just missing the context here :)

Seems like we’ll have to bite the bullet at some point, right, unless Bazel 7.1 is going to remain a viable platform forever? Or someone else could write a deterministic fetcher tailored to our purposes; I know that’s been done for Node.js.

[flurie]

Your perspective even without the additional context is valuable, because it tells me this probably does not clear the bar for needing to split the package further. I'm now leaning toward upgrading the existing package in place.

Bazel tends to do big feature development in minor versions while gating them behind flags that are disabled by default, and a lot of major version changes are simply flipping the flags to enable the feature by default, so minor versions can come with big feature updates on their own. It would be okay for us to have separate minor versions, I believe, if that were something we absolutely needed to do, but I'm more certain that we don't need to do it in this case.

I think a better fetcher might be a preferable solution in the long run simply because we care a lot more about the reproducibility of deps, but I thought it was more important to have a working Bazel 7.3 since we had to skip over 7.2. It's also possible that we see less volatility with the deps for this package in particular, but I am also thinking about a way forward for things like buildBazelPackage that have a prescribed-enough deps fetch that it should work out of the box for most people. This has been and continues to be a common pain point for building Bazel packages with nix, and a custom fetcher is probably optimal, but I'm afraid it will be a lot of work, and it is hard to have a good development loop for these gigantic FODs that are difficult or impossible to decompose.

[emilazy]

It’s okay to maintain separate versions for a time if required to do a migration. For instance, are there existing in‐tree packages using Bazel that would be broken by the fetcher changes (e.g. because they have dependency hashes that would be invalidated)? In that case it’d definitely be best to add another version for now until we can sort things out. If everything in Nixpkgs should otherwise keep working, I think it’s okay to go from one suboptimal situation to another, perhaps with a release note.

(And yeah, I’m a big FOD blob hater, personally! But they can be hard to forgo without checking huge lock files into Nixpkgs, depending on the ecosystem…)

[malt3]

I'm now leaning toward upgrading the existing package in place.

I share that sentiment.

I think a better fetcher might be a preferable solution in the long run […] This has been and continues to be a common pain point for building Bazel packages with nix, and a custom fetcher is probably optimal, but I'm afraid it will be a lot of work, and it is hard to have a good development loop for these gigantic FODs that are difficult or impossible to decompose.

I think a fetcher that is stable over many Bazel versions requires upstream support. Ideally a built in feature like bazel vendor, but it outputs a list of fetchurl / http_archive / a JSON lockfile instead of creating a vendor_dir. If we can get something implemented upstream (and add tests upstream) we can expect it to be less brittle.

[flurie]

I think these changes are pretty well localized to the Bazel derivation itself, so I do think this is fine to upgrade in place.

I've switched to Bazel 7.3.1 and did not find any issues after updating the hashes.

I'm going to mark this as ready for review while recognizing that the tests have not been updated yet.

[flurie]

this might not be necessary (was from an attempt to wrap the bootstrap Bazel with JAVA_HOME)

[flurie]

This is the salient portion of the changes made to get this working with Bazel 7.3 via vendor mode.

[emilazy]

Were we using a binary bootstrap before, or is this a new change? I thought that Bazel always required itself to bootstrap, so it’d help me if you could explain the differences from the previous situation.

Currently it seems like this would restrict Bazel to x86_64-linux only, which would be unfortunate. Would keeping the old Bazel around to build this one provide us a source‐based bootstrap path, or would we just be using a different binary bootstrap?

[flurie]

Bazel does require itself to bootstrap as part of its own build, but we now need a version of Bazel 7.3 that we can use prior to building Bazel 7.3 in order to be able to run bazel vendor for the FOD that fetches the deps.

We should be able to bootstrap all combinations of darwin/linux and x86_64/arm64. We can certainly do that for linux, though I don't have an arm64-linux machine readily available. My understanding with the darwin derivation is that it builds but is essentially unusable, but I don't have the experience to confirm this. I'd be okay with delisting darwin support as long as people with this experience can verify that understanding.

[flurie]

One thing I'm not certain about: we need the bootstrap without an existing Bazel >= 7.3, but is there a way to get rid of it once we've done an initial bootstrap?

[flurie]

This now should work for all supported platforms, though I haven't tested it on all of them yet.

[emilazy]

Thanks, I understand better now. Am I correct in thinking that previously we did not need a binary blob bootstrap Bazel and now we do, and that there is no way to use the old from‐source Bazel to bootstrap the new one? That is unfortunate, but not something we really have control over. You should set at least meta.sourceProvenance on the bootstrap Bazel accordingly.

[flurie]

That is correct, at least for the approach I've taken to vendor the deps. However, once we have a working Bazel 7.3 cached, is there a way for us to use that instead? It's not obvious to me how, but I figured there might be a way to eliminate the external bootstrap after the fact.

You should set at least meta.sourceProvenance on the bootstrap Bazel accordingly.

done 6338bd3

[emilazy]

We have the bootstrap tools tarballs, but those are for things that are required to rebuild the standard environment. I think it wouldn’t make much sense in this case, because the provenance would be essentially the same: we’re trusting the opaque blob to produce a new opaque blob for us, so there’s no point pretending that “laundering” it through Hydra produces something we can confidently say was bootstrapped cleanly from the original source code.

[dmivankov]

@ofborg build bazel_7

[dmivankov]

7.3.2 is also available now

[boltzmannrain]

And 7.4.0

[emilazy]

Sorry for forgetting about this. The ofborg failure looks like a build sandbox thing, maybe. The default setting on macOS (used by Hydra) is to leave it disabled, but ofborg uses the sandbox since it‘s building stuff from random users on the internet.

[emilazy]

BTW, this isn‘t directly related to this PR but I thought I should note it down for others in case I don‘t get around to handling it: Bazel 5 is leaving security support two months into 24.11, and only one package uses it, so it should probably get dropped before release.

[flurie]

Ah it looks like the HOME override doesn't work for darwin because it uses a different default output root. If I specify the output root, it fails on this:

error: builder for '/nix/store/aqz2kvg46ra3fwaaklls2li5972lsddw-bazelDeps.drv' failed with exit code 37;
       last 17 log lines:
       > Running phase: unpackPhase
       > unpacking source archive /nix/store/c4y3gq577yvjgy6nn90qmx9x501jz15c-bazel-7.3.1-dist.zip
       > source root is .
       > Running phase: patchPhase
       > applying patch /nix/store/jghsrq93v25j6d6zkizx8ilbzpc544ac-test_source_sort.patch
       > patching file src/test/shell/bazel/list_source_repository.bzl
       > Running phase: updateAutotoolsGnuConfigScriptsPhase
       > Running phase: configurePhase
       > Running phase: buildPhase
       > here!
       > /private/tmp/nix-build-bazelDeps.drv-0/bazel_src
       > here too!
       > Extracting Bazel installation...
       > Starting local Bazel server and connecting to it...
       > Server crashed during startup. Now printing /private/tmp/nix-build-bazelDeps.drv-0/output_root/1f90a375f58569e8f4bcdc6145ad9689/server/jvm.out
       > OpenJDK 64-Bit Server VM warning: Options -Xverify:none and -noverify were deprecated in JDK 13 and will likely be removed in a future release.
       > FATAL: CHECK failed: (suspend_state.connect_port) != (0):
       For full logs, run 'nix log /nix/store/aqz2kvg46ra3fwaaklls2li5972lsddw-bazelDeps.drv'.
error: 1 dependencies of derivation '/nix/store/mr55lglaq7wd95hvc04v8yxa7n9cy5nd-bazel-7.3.1.drv' failed to build

which appears to be related to this open issue that we have fixed with a patch. Unfortunately, it looks like we can't build Bazel 7 on darwin with sandboxing turned on if we want to use this bootstrapping method. I see a couple immediate options:

• accept that this won't build in a sandbox on darwin, get some others to confirm that it builds/runs in darwin without sandboxing
• fork Bazel and build a release with the patch applied that we can use to bootstrap our Bazel build

There may be some better/more nuanced options as well.

[DolceTriade]

Don't we already "fork" bazel by applying our hermeticity patches? Sounds more like an advertising problem? The issue was reported in 2023 and hasn't gained much traction since then.

Assuming the patch is just to disable the functionality to not sleep while a build is running, it seems worthwhile to get bazel 7.3 in Nix?

I wonder if we could also modify that code to simply make it "best effort" as in, if the power API calls fail, just continue on and hope for the best?

[DolceTriade]

Also, I tried building your branch on OSX and I got this:

❯ nix build .#pkgs.bazel_7
error: builder for '/nix/store/203zp1rhskwf6nfgpg4l4s3dh9hlbj5k-bazelDeps.drv' failed with exit code 2;
       last 25 log lines:
       > ERROR: An error occurred during the fetch of repository 'bazel_tools~cc_configure_extension~local_config_cc':
       >    Traceback (most recent call last):
       >        File "/private/var/tmp/_bazel__nixbld2/1f90a375f58569e8f4bcdc6145ad9689/external/bazel_tools/tools/cpp/cc_configure.bzl", line 91, column 33, in cc_autoconf_impl
       >              configure_unix_toolchain(repository_ctx, cpu_value, overriden_tools)
       >   File "/private/var/tmp/_bazel__nixbld2/1f90a375f58569e8f4bcdc6145ad9689/external/bazel_tools/tools/cpp/unix_cc_configure.bzl", line 387, column 46, in configure_unix_toolchain
       >                overriden_tools["ar"] = _find_generic(repository_ctx, "libtool", "LIBTOOL", overriden_tools)
       >   File "/private/var/tmp/_bazel__nixbld2/1f90a375f58569e8f4bcdc6145ad9689/external/bazel_tools/tools/cpp/unix_cc_configure.bzl", line 310, column 32, in _find_generic
       >           auto_configure_fail(msg)
       >       File "/private/var/tmp/_bazel__nixbld2/1f90a375f58569e8f4bcdc6145ad9689/external/bazel_tools/tools/cpp/lib_cc_configure.bzl", line 112, column 9, in auto_configure_fail
       >               fail("\n%sAuto-Configuration Error:%s %s\n" % (red, no_color, msg))
       > Error in fail:
       > Auto-Configuration Error: Cannot find libtool or LIBTOOL; either correct your path or set the LIBTOOL environment variable
       > ERROR: no such package '@@bazel_tools~cc_configure_extension~local_config_cc//':
       > Auto-Configuration Error: Cannot find libtool or LIBTOOL; either correct your path or set the LIBTOOL environment variable
       > ERROR: /private/var/tmp/_bazel__nixbld2/1f90a375f58569e8f4bcdc6145ad9689/external/rules_pkg~/pkg/private/tar/BUILD:45:10: @@rules_pkg~//pkg/private/tar:build_tar depends on @@bazel_tools~cc_configure_extension~local_config_cc//:cc-compiler-darwin_arm64 in repository @@bazel_tools~cc_configure_extension~local_config_cc which failed to fetch. no such package '@@bazel_tools~cc_configure_extension~local_config_cc//':
       > Auto-Configuration Error: Cannot find libtool or LIBTOOL; either correct your path or set the LIBTOOL environment variable
       > ERROR: Analysis of target '//src:bazel_nojdk' failed; build aborted: Analysis failed
       > INFO: Elapsed time: 7.130s
       > INFO: 0 processes.
       > ERROR: Build did NOT complete successfully
       > Loading: 325 packages loaded
       > ERROR: Fetching some target dependencies failed with errors: Analysis of target '//src:bazel_nojdk' failed; build aborted: no such package '@@bazel_tools~cc_configure_extension~local_config_cc//':
       > Auto-Configuration Error: Cannot find libtool or LIBTOOL; either correct your path or set the LIBTOOL environment variable
       > Loading: 325 packages loaded
       >
       For full logs, run 'nix log /nix/store/203zp1rhskwf6nfgpg4l4s3dh9hlbj5k-bazelDeps.drv'.
error: 1 dependencies of derivation '/nix/store/62zfamx14j7077q22arbyywwc3s6cnch-bazel-7.3.1.drv' failed to build

After making this change:

diff --git a/pkgs/development/tools/build-managers/bazel/bazel_7/default.nix b/pkgs/development/tools/build-managers/bazel/bazel_7/default.nix
index 703f25e34..27746585a 100644
--- a/pkgs/development/tools/build-managers/bazel/bazel_7/default.nix
+++ b/pkgs/development/tools/build-managers/bazel/bazel_7/default.nix
@@ -35,6 +35,7 @@
   # Apple dependencies
   cctools,
   libcxx,
+  libtool,
   sigtool,
   CoreFoundation,
   CoreServices,
@@ -188,6 +189,7 @@ let
         unzip
         runJdk
         bazelForDeps
+        libtool
       ];
       configurePhase = ''
         runHook preConfigure

It built on OSX for me. Testing on an M1 Mac

[alexflurieagility]

Don't we already "fork" bazel by applying our hermeticity patches? Sounds more like an advertising problem? The issue was reported in 2023 and hasn't gained much traction since then.

Yes, the problem is that, in order to use bazel vendor to vendor the deps to build Bazel with a frozen set of deps, one must already have Bazel >= 7.3, and the bootstrap Bazel we fetch in order to do that is missing our patch.

After making this change:
It built on OSX for me. Testing on an M1 Mac

Thank you, I will add that in!

[boltzmannrain]

Suggested change

	--tool_java_runtime_version=local_jdk_21 \
	--java_runtime_version=local_jdk_21 \
	--tool_java_runtime_version=remotejdk_21 \
	--java_runtime_version=remotejdk_21 \

It seems to not affect the vendor results, but might be cleaner to specify a hermetic toolchain rather than host toolchain?

[boltzmannrain]

though there's more use of local_jdk and patching related to that, so maybe local_jdk fits better

[flurie]

Given that this is using the bootstrap bazel, I agree that your suggestion might be preferable, but isn't it using a hermetic toolchain we bring into the env instead?

[boltzmannrain]

Suggested change

	(cd bazel_src; ${bazelForDeps}/bin/bazel --server_javabase=${runJdk} mod deps --curses=no;
	${bazelForDeps}/bin/bazel --server_javabase=${runJdk} vendor src:bazel_nojdk \
	(cd bazel_src; ${bazelForDeps}/bin/bazel --batch --server_javabase=${runJdk} mod deps --curses=no;
	${bazelForDeps}/bin/bazel --batch --server_javabase=${runJdk} vendor src:bazel_nojdk \

Noticed that without fhs wrapping build would fail on bazel daemonizing itself. Daemon mode shouldn't be required for this vendoring target, also in some cases it's easier to capture logs in batch mode

[boltzmannrain]

Suggested change

	# the future, as this is approximately 16GB.
	# the future, as this is approximately 0.9GB.

For me it amounts to 840-870MB 🤔

[alexflurieagility]

At the time that was written, it was vendoring the entire build rather than just the required targets.

[boltzmannrain]

Suggested change

	bazelForDeps = if stdenv.hostPlatform.isDarwin then bazelBootstrap else bazelFhs;
	bazelForDeps = bazelBootstrap;

with --batch it seems that bazelBootstrap works fine, not sure how exactly was daemon mode failing without the wrapper.

But also wrapper doesn't add any extra dependencies and looks like a no-op, at the very least it'd be nice to add a comment on why add FHS wrapper, and why not on MacOS.

[flurie]

I'm happy to get rid of the explicit FHS env if we don't need it, especially since we can't use it on darwin either way. Not sure if we should make this change right before it gets merged, though?

[boltzmannrain]

I didn't try to run it on ofborg or hydra so maybe less time risk in merging current version and look into simplifying later

[boltzmannrain]

For some reason I'm hitting

ERROR: /build/bazel_UkqwKL5c/out/external/rules_java~~toolchains~remote_java_tools/BUILD:154:10: Creating runfiles tree bazel-out/aarch64-opt-exec-ST-fad1763555eb/bin/external/rules_java~~toolchains~remote_java_tools/ijar_cc_binary.runfiles [for tool] failed: build-runfiles failed: error executing <shell command> command 

...  java.io.IOException: Cannot run program "/build/bazel_UkqwKL5c/archive/build-runfiles" (in directory "/build/bazel_UkqwKL5c/out/execroot/_main"): error=2, No such file or directory: java.io.IOException: Cannot run program "/build/bazel_UkqwKL5c/archive/build-runfiles" (in directory "/build/bazel_UkqwKL5c/out/execroot/_main"): error=2, No such file or directory

on aarch64-linux when building bazel_7, will try to debug later

[boltzmannrain]

technically it may cover other platforms too, like riscv or something

[alexflurieagility]

That is not a supported platform. I would be happy to take a vendor sha for i686, but since I think it is unlikely that people are waiting to be able to run Bazel >= 7.3 via Nix on a Raspberry Pi, I don't want to gate merging this PR, which has been outstanding for months, on its inclusion.

[boltzmannrain]

What I meant is it's ok to only support most popular platforms, but there are more direct ways to express it:

• here instead of "else # assume x86_64-darwin" do "else if ...darwin case... else fail"
• and/or platforms meta attribute https://ryantm.github.io/nixpkgs/stdenv/meta/#var-meta-platforms

[flurie]

Ah I understand, you're right, I can make that change.

[boltzmannrain]

also here it assumes there's only 4 possible platform combinations

[alexflurieagility]

See my comment above.

[boltzmannrain]

For some reason I'm hitting

ERROR: /build/bazel_UkqwKL5c/out/external/rules_java~~toolchains~remote_java_tools/BUILD:154:10: Creating runfiles tree bazel-out/aarch64-opt-exec-ST-fad1763555eb/bin/external/rules_java~~toolchains~remote_java_tools/ijar_cc_binary.runfiles [for tool] failed: build-runfiles failed: error executing <shell command> command 

...  java.io.IOException: Cannot run program "/build/bazel_UkqwKL5c/archive/build-runfiles" (in directory "/build/bazel_UkqwKL5c/out/execroot/_main"): error=2, No such file or directory: java.io.IOException: Cannot run program "/build/bazel_UkqwKL5c/archive/build-runfiles" (in directory "/build/bazel_UkqwKL5c/out/execroot/_main"): error=2, No such file or directory

on aarch64-linux when building bazel_7, will try to debug later

extra info is that with breakpointHook

$ cntr exec ls /
build  dev  etc  nix  proc  tmp  var

there seems to be no /bin/sh and that makes build-runfiles from https://github.com/bazelbuild/bazel/blob/master/scripts/bootstrap/compile.sh#L334 fail 🤔

Shouldn't be a blocker I guess, if it works on Hydra let it work, if not maybe add aarch64-linux to "badPlatforms" for now

[boltzmannrain]

Personally don't see why not merge it even in current shape and bump&improve further later

ZHF is also starting so any regressions might be good to address during that campaign

[layus]

LGTM.

Bootstrapping from a binary tarball seems more reliable than everything we tried before.

Not updating tests is okay. They are cumbersome to update, and do not really work anyway. What we need is a maintained toy/example/test project that is nix/NixOS compatible. Not aware of any right now.

I plan to merge this on Thursday unless there is some hard blocker discovered in the meantime.

[flurie]

@layus might sound odd, but I wonder if we could use some examples/tests from rules_nixpkgs?

Some of the unresolved suggestions are simple/straightforward. Should I go ahead and make these changes ahead of merge?

[DolceTriade]

Will this still be merged on Thursday?

[layus]

@flurie I am just trying to be helpful by providing the ability to merge, and a reminder that it does not need to be perfect to be useful. I will merge as-is, but changes in another PR are obviously welcome.

[dimatosaurus]

Can we maybe also bump it to 7.4? Update of the version seems not to cause problems from a first test.

[boltzmannrain]

Can we maybe also bump it to 7.4? Update of the version seems not to cause problems from a first test.

#355457 waiting for the build