-
-
Notifications
You must be signed in to change notification settings - Fork 14.3k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Fix hardening default for pkgsMusl to reenable -pie #101606
Conversation
Can you also add the entire explanation to the commit message? Right now we do not have anything helpful in the commit message. If we have to go back to this (e.g. due to git blame) we wouldn't really see why that was done or how we ended up doing this. |
Done. Yeah, this was a bit convoluted. |
Thanks! Can you also prefix the first line of the commit message with |
defaultHardeningFlags is set to enable pie for Musl, but is not actually used because the default is never put into NIX_HARDENING_ENABLE. That still works for cases other than Musl only because NIX_HARDENING_ENABLE is defaulted in the binutils and cc-wrapper setup-hook.sh scripts.
checked that pkgsMusl.openssl now build a pie executable (it currently does not on nixos-unstable) |
@utsl42 please fix the eval error. |
The eval error is related to django, which does not make sense. @GrahamcOfBorg eval |
This is a semi-automatic executed nixpkgs-review which is checked by a human on a best effort basis and does not build all packages (e.g. lumo, tensorflow or pytorch). Result of 1 package marked as broken and skipped:
2 packages blacklisted:
9 packages failed to build and are new build failures:
59 packages built:
|
This broke GHC on musl, see writeup here: |
Motivation for this change
Found while attempting to fix or work around #101490:
pkgs/stdenv/generic/make-derivation.nix
makes it look like
-pie
is enabled by default on Musl. But that doesn't work, because the line modified in this change fails to setNIX_HARDENING_ENABLE
, which causespkgs/build-support/cc-wrapper/setup-hook.sh
andpkgs/build-support/bintools-wrapper/setup-hook.sh
to fall back to:Things done
sandbox
innix.conf
on non-NixOS linux)nix-shell -p nixpkgs-review --run "nixpkgs-review wip"
./result/bin/
)nix path-info -S
before and after)Tested building
pkgsMusl.stdenv
. Validated it builds working binaries with -pie enabled.