update nix flake

[mtoohey31]

While investigating #167 I realized that the flake was broken since its Rust version was too old to build the upstream Typst package. This pull request updates it to a version that is new enough to build Typst.

[astrale-sharp]

Hey there! thanks for the interest,

this is a bit hard to review for me, I don't know if there are security considerations to take into account, for instance, can the new hash point to another github repo? I don't think so but if someone could point me to some resources that would be nice!

[mtoohey31]

Ah good question. Yes, I believe there would be security implications, but only in that we're changing the versions of the Rust compiler and Nix helper libraries, and this will only impact people who are using typstfmt via the flake, and aren't overriding the inputs (to avoid pulling in multiple versions of nixpkgs, which is common). The hashes of the new dependency versions can be found in the flake.lock file, in the locked.rev sub-fields of each of the dependency nodes.

(Also, I believe the reason why there are more lines removed than added is because there are now fewer transitive dependencies, since the crane input has removed some of its direct dependencies between the previous version and this one.)

[astrale-sharp]

I delved a bit more into the meanings of each fields and since authors didn't change (and we trusted them before) i see no difference in security!

can you provide steps to follow to verify current flake is broken? :)

[mtoohey31]

Great! Sure, you can verify that the package build is broken by running nix --extra-experimental-features nix-command --extra-experimental-features flakes build from the root of the repository, and you can verify that the devShell is broken by running nix --extra-experimental-features nix-command --extra-experimental-features flakes develop from the root of the repository then cargo build inside the shell that it creates. Both builds should fail with the error:

error: package `typstfmt v0.2.9 (.../typstfmt)` cannot be built because it requires rustc 1.74 or newer, while the currently active rustc version is 1.70.0

[astrale-sharp]

building with nix is sooo much longer than just running cargo build .. I guess it's downloading an isolated rustc and tools version?

can confirm your fix work! Thanks !

[mtoohey31]

Great, no problem!

building with nix is sooo much longer than just running cargo build .. I guess it's downloading an isolated rustc and tools version?

Yeah, it'll download the pinned version of cargo, rustc, etc.; plus the corresponding versions of all their runtime dependencies, (curl, glibc, openssl, zlib, etc.); plus a handful of things that come included with nix's stdenv by default (coreutils, findutils, gcc, etc.) So it's pretty heavy, but this comes with the benefit that the build is fully reproducible since the versions of all tools and all their dependencies are always the same.