New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
buildRustPackage: add darwin Security to buildInputs #95556
Conversation
buildInputs = buildInputs ++ stdenv.lib.optional stdenv.hostPlatform.isMinGW windows.pthreads; | ||
buildInputs = buildInputs | ||
++ stdenv.lib.optional stdenv.hostPlatform.isMinGW windows.pthreads | ||
++ stdenv.lib.optional stdenv.hostPlatform.isDarwin darwin.apple_sdk.frameworks.Security; |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Is it needed for the stdlib? @LnL7 usually prefers to have impure macOS dependencies on a per-package base.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Sorry I don't understand, why is it acceptable for go
and not for rust
?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I think in go is required by its standard library, but in rust is only specific crates which depend on Security. e.g. getrandom
crate in shadowenv
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
nixpkgs/pkgs/development/compilers/rust/rustc.nix
Lines 132 to 134 in 19a0b38
buildInputs = [ openssl ] | |
++ optional stdenv.isDarwin Security | |
++ optional (!withBundledLLVM) llvmShared; |
nixpkgs/pkgs/development/compilers/rust/cargo.nix
Lines 21 to 22 in 19a0b38
buildInputs = [ cacert file curl python3 openssl zlib ] | |
++ stdenv.lib.optionals stdenv.isDarwin [ CoreFoundation Security libiconv ]; |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Rust uses external crates, including rand
:
https://github.com/rust-lang/rust/blob/9d38dc22e5d543b9c350dd48ac014135547e7953/Cargo.lock#L2478
So, it's not surprising that rustc and cargo require Security
.
I don't think the standard library depends on Security
. E.g. the skim
derivation does not have Security
in buildInputs
and builds fine on Darwin.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Not to import the discussion of #89563 here. But the underlying problem here is that buildRustPackage
et al. do not properly define the crate dependency graph in Nix, so it is all or nothing. If dependent crates were also defined as Nix derivations (as e.g. buildRustCrate
does), then we could just add the Security
dependency to the small number of crates (rand
etc.) that require it. In fact, we already have a bunch of these in defaultCrateOverrides
:
https://github.com/NixOS/nixpkgs/blob/master/pkgs/build-support/rust/default-crate-overrides.nix
This issue also resurfaces with other Rust crates that depend on a native library., it's just that they are not as widely used. E.g., from a quick grep we have ~90 buildRustPackage
derivations (out of ~280) that use openssl
.
Edit: removed the last paragraph, too opinionated ;).
Edit 2: sorry for repeating your point @LnL7, I didn't see your comment yet.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Yes, buildRustPackage
already has multiple issues. I don't see why Security
is a hill to die on.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
So solutions like crate2nix
mean that the darwin Security
, etc inputs in packages is literally cruft?
We're adding it to packages knowing that it will be removed anyway?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Yes,
buildRustPackage
already has multiple issues. I don't see whySecurity
is a hill to die on.
I agree that it is very tedious, so perhaps we should be pragmatic about this particular case. It is not required by the Rust standard library, but that's because the standard library does not carry (proper) RNG support and most packages do need it anyway (or some transitive dependency).
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I'd like to continue with this but I don't know that I've got the time to see it through at the moment.
Apologies for my ranty comments, rereading them I probably come across harsher than I intended.
Same as #83472 for rust.
cc @Mic92 I'm not sure if this is the most correct way of doing this?
Starting with
Security
as it is the most commonly needed withbuildRustPackage
.