GHC pax fixes #21163
GHC pax fixes #21163
Conversation
|
These work for me on my local branch, rebuilding against master (using commits in this PR) currently and will report on that once it finishes (I believe it took an hour or two previously). |
|
While I have the information in my head: Just to make sure this is intentional/known, the GHC build process on the way to 8.0.x goes: Additionally, I'll note that I left 7.8.4 and 7.10.3 alone pax-wise since their usage to build the next stage seems to not be problematic, and I figured I'd let someone who at least encounters a problem propose weakening protections for those.... but as a result the versions that are pax-friendly and those that aren't is somewhat arbitrary. This isn't really that big of a change from the current situation where 7.6.3 is the only one given needed PaX touchups. |
| @@ -57,6 +74,15 @@ stdenv.mkDerivation rec { | |||
| stripDebugFlags = [ "-S" ] ++ stdenv.lib.optional (!stdenv.isDarwin) "--keep-file-symbols"; | |||
|
|
|||
| postInstall = '' | |||
| # ghci uses mmap with rwx protection at it implements dynamic | |||
There was a problem hiding this comment.
Indeed, I copied it verbatim from the existing PaX bits applied to 7.6.3...
Which in turn seem to be based on Gentoo's ebuilds.... which looks to originate with this commit (from 2010).
I'll fix the typo in our tree instead of propagating it 👍
| # - https://ghc.haskell.org/trac/ghc/ticket/4244 | ||
| # Therefore, we have to pax-mark the resulting binary. | ||
| # Haddock also seems to run with ghci, so mark it as well. | ||
| paxmark m $out/lib/${name}/bin/{ghc,haddock} |
There was a problem hiding this comment.
The comment talks about ghci, but the mark applies to the ghc binary. Is that intentional?
There was a problem hiding this comment.
I also wonder whether it'd make sense to put this commentary somewhere else rather than having to repeat it below.
There was a problem hiding this comment.
I believe the ghci reference is indeed intentional, it matches the discussions on the referenced gentoo bug and haskell ticket, reproduced below for convenience:
See also: https://ghc.haskell.org/trac/ghc/ticket/12657
I'm not sure where the commentary belongs, but it does seem unfortunate to have multiple copies of it. I'll poke at this some more, thanks for the review.
dtzWill
force-pushed
the
feature/ghc-pax-fixes
branch
from
91420d1
to
a8da520
Compare
dtzWill
force-pushed
the
feature/ghc-pax-fixes
branch
from
a8da520
to
0deb556
Compare
I believe this is good to go now. |
| @@ -57,6 +57,8 @@ stdenv.mkDerivation rec { | |||
| stripDebugFlags = [ "-S" ] ++ stdenv.lib.optional (!stdenv.isDarwin) "--keep-file-symbols"; | |||
|
|
|||
| postInstall = '' | |||
| paxmark m $out/lib/${name}/bin/{ghc,haddock} | |||
There was a problem hiding this comment.
What will this command do when it's run on a platform other than Linux? Do Macs have paxmark? Do all variants of Linux have it and is it always in $PATH like it's assumed here?
There was a problem hiding this comment.
paxmark is defined as a stub function which is overridden by paxctl's setup-hook; on non-linux paxmark is a no-op.
|
Merged to |
|
@peti great, thank you! |
|
Merged to |
|
Awesome, thanks! |
Motivation for this change
These changes fix the GHC versions used for building and using pandoc.
Things done
(nix.useSandbox on NixOS,
or option
build-use-sandboxinnix.confon non-NixOS)
nix-shell -p nox --run "nox-review wip"./result/bin/)