That said, Darwin is currently using it, hence the eval failure.

@vcunat @domenkozar how do we test if this is still necessary?

@vcunat @jtojnar I removed the special case for darwin. Could one of you get Ofborg to test the darwin build?

@GrahamcOfBorg build bzip2

It's trying to run gcc command, which won't work.

That's odd, I thought gcc was an alias on darwin.

The Makefile has CC=gcc. Is there a standard way to fix that? The following works but seems a bit kludgy:

  preBuild = "export _CC=$CC";

  buildFlags = [ "-f Makefile-libbz2_so" "CC=$(_CC)" ];

Correct, in most darwin environments, you will see something to the effect of:

$ gcc --version
Clang ....

Thanks. So I guess this alias is not available in the bootstrap stdenv - can/should we fix that?

Isn't it easier and more portable to always use cc? (Unless you depend on some gcc-specific properties.)

@GrahamcOfBorg build bzip2

cc -shared -Wl,-soname -Wl,libbz2.so.1.0 -o libbz2.so.1.0.8 blocksort.o huffman.o crctable.o randtable.o compress.o decompress.o bzlib.o
ld: unknown option: -soname
clang-4.0: error: linker command failed with exit code 1 (use -v to see invocation)
make: *** [Makefile-libbz2_so:38: all] Error 1

I guess the upstream Makefile needs fixing...?

Hello, I'm a bot and I thank you in the name of the community for your contributions.

Nixpkgs is a busy repository, and unfortunately sometimes PRs get left behind for too long. Nevertheless, we'd like to help committers reach the PRs that are still important. This PR has had no activity for 180 days, and so I marked it as stale, but you can rest assured it will never be closed by a non-human.

If this is still important to you and you'd like to remove the stale label, we ask that you leave a comment. Your comment can be as simple as "still important to me". But there's a bit more you can do:

If you received an approval by an unprivileged maintainer and you are just waiting for a merge, you can @ mention someone with merge permissions and ask them to help. You might be able to find someone relevant by using Git blame on the relevant files, or via GitHub's web interface. You can see if someone's a member of the nixpkgs-committers team, by hovering with the mouse over their username on the web interface, or by searching them directly on the list.

If your PR wasn't reviewed at all, it might help to find someone who's perhaps a user of the package or module you are changing, or alternatively, ask once more for a review by the maintainer of the package/module this is about. If you don't know any, you can use Git blame on the relevant files, or GitHub's web interface to find someone who touched the relevant files in the past.

If your PR has had reviews and nevertheless got stale, make sure you've responded to all of the reviewer's requests / questions. Usually when PR authors show responsibility and dedication, reviewers (privileged or not) show dedication as well. If you've pushed a change, it's possible the reviewer wasn't notified about your push via email, so you can always officially request them for a review, or just @ mention them and say you've addressed their comments.

Lastly, you can always ask for help at our Discourse Forum, or more specifically, at this thread or at #nixos' IRC channel.

this PR is still applicable to master

There are some minor conflicts, but I believe we can't merge until darwin build gets fixed.

@NixOS/darwin-maintainers could you look into this core package? It's been outdated for over a year now.

Is that the actual upstream source? It replaces the current automake build with what looks like hand crafted makefiles, which are totally not portable.

Here is a bit of the history regarding bzip2. It was unmaintained for a long time, and now has a new maintainer. Since then, they also reconstructed some of the history.

As explained here, the sourceware repo has the 1.0.x branch with maintenance releases. At the same time, there is https://gitlab.com/federicomenaquintero/bzip2 which has larger changes, including support for cmake and meson.

should we move over to the cmake build?

Well the statement about 1.x contradicts what I'm seeing.

This is targeted towards embedded use, as in projects which already embed the bzip2-1.0.6 sources and undoubtedly patch the build system.

Does the newer fork have large changes in general or just the build system, something like cmake or meson is much more likely to work in a maintainable way.

it looks like 1.1 release isnt ready yet https://gitlab.com/federicomenaquintero/bzip2/-/milestones/1 I'll continue to patch #94969

I wonder if adding this under a separate bzip2_1_0_8 attribute and keeping the last stable release as the default until things settled down in that case.

We have the CVE patches as far I checked, so indeed, there is no immediately need to upgrade.

Going to the 1.1.x branch is I think an option, the lack of a release is not that big of a deal; all that is changed is the build system. The difficulty here is having cmake or meson available sufficiently early.

The darwin stdenv already needs cmake for llvm/clang so I wouldn't expect any issues there, but might indeed require some changes on the linux side.

PR to add 1.1 as extra derivation #96621.

I marked this as stale due to inactivity. → More info

@siraben: nice cleaning up the various issues/PRs.

Quoting #64817 (comment) so that info is visible here:

There exist bzip2 archives in the wild which cannot be extracted by the 1.0.6 that's in nixpkgs due to the fix for CVE-2019-12900. It takes some gymnastics to use them in derivations, etc. because bzip2 is such a core package. It would be nice to be able to upgrade to 1.0.8, which can handle these files, or move to the 1.1 series as default.

2.1.1 is still unreleased. As far as I can tell Ubuntu, Fedora and Arch are still shipping 1.0.8.

Also according to https://blog.micahsnyder.dev/posts/2021-06-05-03-bzip2-project.html the maintainer is now
Micah Snyder and the 1.0 and 1.1 branches can both be found at https://gitlab.com/bzip2/bzip2. The GitLab repo we fetch for 2.1.1 could also be updated accordingly. That same repo also has 1.0.8.

One example for an impacted archive is that NixOS cannot unpack without deliberately getting the newer bzip2 package is https://developer.nvidia.com/embedded/l4t/r32_release_v7.1/t210/jetson-210_linux_r32.7.1_aarch64.tbz2

EDIT: Looking at the various attempts I see now how much of a pain it seems to be to fix this by updating to 1.0.8.