New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
openssl: split the (mostly empty) runtime dependencies of static builds into a separate output #87879
openssl: split the (mostly empty) runtime dependencies of static builds into a separate output #87879
Conversation
@ajs124 I've tested it with 1.0.2, the version check was not needed and I removed it. I also renamed the new output from |
@ajs124 @peti I believe this PR should be a no-op for non-static builds and all tests should pass, is there a way to re-trigger the test suite? Do you have any comments on this PR? Happy to work on improving it! As described above, we are successfully using this patch in PostgREST, it significantly reduces the closure size of the static build from >13mb to 4mb. |
This isn't a no-op for non-static builds, because of the changes in It's probably still not a bad idea, though. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I like the idea
5bcea10
to
bbc1a9d
Compare
I rebased on staging to resolve the merge conflict (rebased on |
b7f1472
to
f4fc277
Compare
Rebased on latest |
I marked this as stale due to inactivity. → More info |
This patch continues to be maintained in PostgREST, a version against current nixpkgs is at https://github.com/PostgREST/postgrest/blob/692b23abbd7c88f2aaf7b3fac18bd52a0eb09d76/nix/patches/nixpkgs-openssl-split-runtime-dependencies-of-static-builds.patch. I'm a bit curious whether it's realistic to get that applied to nixpkgs? |
Quite realistic. But this needs a rebase. |
I created a rebased PR at #182444, since @monacoremo isn't around. |
As #182444 was merged we can close this. Thanks! |
Motivation for this change
This closure size of all packages that statically link
openssl
is unnecessarily large, as they get a runtime dependency on the static openssl build.This is because the paths to several mostly empty directories and files in
--openssldir
andENGINESDIR
that are being baked into thelibcrypto.a
file:This is an attempt to reduce the runtime dependencies of packages that statically link openssl by:
This is relatively simple and clean, but unfortunately not enough, as the ENGINESDIR, which is also being baked into the static library and it cannot be configured (hardcoded to be under
libdir
by openssl). So we also need to:libdir
on static builds.This is a bit messy, but I could't figure out a cleaner solution so far... The substitution is only done on static builds, as the dynamic
*.so
files in ENGINESDIR contain references to$out
and cannot be moved to a separate output.I would be very grateful for any hints on how to improve this PR!
In my use case, this reduces the closure size of e.g. https://github.com/PostgREST/postgrest by over 60%, from 13mb compressed to about 5mb.
Things done
sandbox
innix.conf
on non-NixOS linux)nix-shell -p nixpkgs-review --run "nixpkgs-review wip"
./result/bin/
)nix path-info -S
before and after)