motiejus/zig
1
Fork 0
Code Releases Activity

switch from "id" to "nonce"

Browse Source 
mainly this addresses the following use case:

1. Someone creates a template with build.zig.zon, id field included
   (note that zig init does not create this problem since it generates
   fresh id every time it runs).
2. User A uses the template, changing package name to "example" but not
   id field.
3. User B uses the same template, changing package name also to
   "example", also not changing the id field.

Here, both packages have unintentional conflicting logical ids.

By making the field a combination of name checksum + random id, this
accident is avoided. "nonce" is an OK name for this.

Also relaxes errors on remote packages when using `zig fetch`.
This commit is contained in:
Andrew Kelley
2025-02-25 17:26:19 -08:00
parent a70307e7ff
commit 0fc7c9f57c
7 changed files with 100 additions and 59 deletions
Download Patch File Download Diff File Expand all files Collapse all files

21
lib/init/build.zig.zon
View File

@@ -13,17 +13,18 @@
.version = "0.0.0",
// Together with name, this represents a globally unique package
// identifier. This field should be initialized with a 16-bit random number
// when the package is first created, and then *never change*. This allows
// unambiguous detection when one package is an updated version of another.
// identifier. This field is generated by the Zig toolchain when the
// package is first created, and then *never changes*. This allows
// unambiguous detection of one package being an updated version of
// another.
//
// When forking a Zig project, this id should be regenerated with a new
// random number if the upstream project is still maintained. Otherwise,
// the fork is *hostile*, attempting to take control over the original
// project's identity. Thus it is recommended to leave the comment on the
// following line intact, so that it shows up in code reviews that modify
// the field.
.id = $i, // Changing this has security and trust implications.
// When forking a Zig project, this id should be regenerated (delete the
// field and run `zig build`) if the upstream project is still maintained.
// Otherwise, the fork is *hostile*, attempting to take control over the
// original project's identity. Thus it is recommended to leave the comment
// on the following line intact, so that it shows up in code reviews that
// modify the field.
.nonce = $i, // Changing this has security and trust implications.
// Tracks the earliest Zig version that the package considers to be a
// supported use case.