Skip to content

haskell.compiler.ghc*Binary: work around com.apple.provenance xattr#413450

Merged
reckenrode merged 1 commit intoNixOS:stagingfrom
reckenrode:push-oxkpymuqwlmr
Jun 5, 2025
Merged

haskell.compiler.ghc*Binary: work around com.apple.provenance xattr#413450
reckenrode merged 1 commit intoNixOS:stagingfrom
reckenrode:push-oxkpymuqwlmr

Conversation

@reckenrode
Copy link
Contributor

@reckenrode reckenrode commented Jun 3, 2025

Sometimes the store can get infected with the com.apple.provenance xattr. There’s no practical way to remove it. This patch works around it when building GHC, which tries to clear the xattrs of libiconv.dylib in the store and fails.

Things done

  • Built on platform(s)
    • x86_64-linux
    • aarch64-linux
    • x86_64-darwin
    • aarch64-darwin
  • For non-Linux: Is sandboxing enabled in nix.conf? (See Nix manual)
    • sandbox = relaxed
    • sandbox = true
  • Tested, as applicable:
  • Tested compilation of all packages that depend on this change using nix-shell -p nixpkgs-review --run "nixpkgs-review rev HEAD". Note: all changes have to be committed, also see nixpkgs-review usage
  • Tested basic functionality of all binary files (usually in ./result/bin/)
  • Nixpkgs 25.11 Release Notes (or backporting 24.11 and 25.05 Nixpkgs Release notes)
    • (Package updates) Added a release notes entry if the change is major or breaking
  • NixOS 25.11 Release Notes (or backporting 24.11 and 25.05 NixOS Release notes)
    • (Module updates) Added a release notes entry if the change is significant
    • (Module addition) Added a release notes entry if adding a new NixOS module
  • Fits CONTRIBUTING.md.

Add a 👍 reaction to pull requests you find important.

@github-actions github-actions bot added the 6.topic: haskell General-purpose, statically typed, purely functional programming language label Jun 3, 2025
@reckenrode reckenrode mentioned this pull request Jun 3, 2025
Closed
3 tasks
@github-actions github-actions bot added 10.rebuild-darwin: 501+ This PR causes many rebuilds on Darwin and should normally target the staging branches. 10.rebuild-darwin: 5001+ This PR causes many rebuilds on Darwin and must target the staging branches. 10.rebuild-linux: 501+ This PR causes many rebuilds on Linux and should normally target the staging branches. 10.rebuild-linux: 5001+ This PR causes many rebuilds on Linux and must target the staging branches. labels Jun 3, 2025
@sternenseemann
Copy link
Member

sternenseemann commented Jun 3, 2025

Is this an issue in the source built GHCs as well? I remember we have to give it XATTR there for some reason, so this would be worrying.

@sternenseemann
Copy link
Member

sternenseemann commented Jun 4, 2025

This change is also necessary for ghc902Binary which has been introduced in the current haskell-updates rotation.

@reckenrode
Copy link
Contributor Author

reckenrode commented Jun 4, 2025

I can update it for ghc902Binary. Should I retarget to haskell-updates?

Is this an issue in the source built GHCs as well? I remember we have to give it XATTR there for some reason, so this would be worrying.

It’s only an issue for the bindists because libiconv.dylib is symlinked into $out prior to running xattr. The source builds link against libiconv.dylib instead, so they aren’t affected.

@sternenseemann
Copy link
Member

sternenseemann commented Jun 4, 2025

I can update it for ghc902Binary. Should I retarget to haskell-updates?

Given that it's a rebuild unless we write this in a more clunky way, not a good idea at the moment. I can just port the change into a second PR for haskell-updates (the rebuild for 9.0.2 is small by comparison).

@reckenrode reckenrode merged commit 02821c6 into NixOS:staging Jun 5, 2025
17 of 18 checks passed
@reckenrode reckenrode deleted the push-oxkpymuqwlmr branch June 5, 2025 01:24
@sternenseemann
Copy link
Member

sternenseemann commented Jul 1, 2025

Just to confirm, this is not needed for 25.05?

sternenseemann added a commit to sternenseemann/nixpkgs that referenced this pull request Jul 1, 2025
@sternenseemann
haskell.compiler.ghc902Binary: workaround com.apple.provenance xattr
5aa28c9 
See NixOS#413450.

(Ported from 759f224.)
@sternenseemann sternenseemann mentioned this pull request Jul 1, 2025
Merged
13 tasks
@wolfgangwalther
Copy link
Contributor

wolfgangwalther commented Jul 1, 2025

Sounds like a fix to me, which can equally happen on 25.05 - so let's backport!

@nixpkgs-ci
Copy link
Contributor

nixpkgs-ci bot commented Jul 1, 2025

Successfully created backport PR for staging-25.05:

@nixpkgs-ci nixpkgs-ci bot mentioned this pull request Jul 1, 2025
Merged
1 task
@github-actions github-actions bot added the 8.has: port to stable This PR already has a backport to the stable release. label Jul 1, 2025
sternenseemann added a commit that referenced this pull request Jul 1, 2025
@sternenseemann
haskell.compiler.ghc902Binary: workaround com.apple.provenance xattr
d177909 
See #413450.

(Ported from 759f224.)
nixpkgs-ci bot pushed a commit that referenced this pull request Jul 1, 2025
@sternenseemann @github-actions
haskell.compiler.ghc902Binary: workaround com.apple.provenance xattr
c326da6 
See #413450.

(Ported from 759f224.)

(cherry picked from commit d177909)
@sternenseemann
Copy link
Member

sternenseemann commented Jul 1, 2025

I can just port the change into a second PR for haskell-updates (the rebuild for 9.0.2 is small by comparison).

Done in #421456.

@sternenseemann sternenseemann mentioned this pull request Jul 1, 2025
Closed
1 task
wolfgangwalther pushed a commit that referenced this pull request Jul 8, 2025
@sternenseemann @wolfgangwalther
haskell.compiler.ghc902Binary: workaround com.apple.provenance xattr
7e74004 
See #413450.

(Ported from 759f224.)

(cherry picked from commit d177909)
sternenseemann added a commit that referenced this pull request Jul 14, 2025
@sternenseemann
haskell.compiler.ghc902Binary: workaround com.apple.provenance xattr
4efc1cf 
See #413450.

(Ported from 759f224.)

(cherry picked from commit d177909)
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@sternenseemann sternenseemann sternenseemann approved these changes

@wolfgangwalther wolfgangwalther Awaiting requested review from wolfgangwalther

@maralorn maralorn Awaiting requested review from maralorn

@domenkozar domenkozar Awaiting requested review from domenkozar

@prusnak prusnak Awaiting requested review from prusnak

@guibou guibou Awaiting requested review from guibou

@cdepillabout cdepillabout Awaiting requested review from cdepillabout

Assignees

No one assigned

Labels

6.topic: haskell General-purpose, statically typed, purely functional programming language 8.has: port to stable This PR already has a backport to the stable release. 10.rebuild-darwin: 501+ This PR causes many rebuilds on Darwin and should normally target the staging branches. 10.rebuild-darwin: 5001+ This PR causes many rebuilds on Darwin and must target the staging branches. 10.rebuild-linux: 501+ This PR causes many rebuilds on Linux and should normally target the staging branches. 10.rebuild-linux: 5001+ This PR causes many rebuilds on Linux and must target the staging branches.

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@reckenrode @sternenseemann @wolfgangwalther