Skip to content

whisper: built with -no-pie (prebuilt libraries)#457358

Merged
philiptaron merged 1 commit intoNixOS:masterfrom
trofi:whisper-disable-pie
Nov 1, 2025
Merged

whisper: built with -no-pie (prebuilt libraries)#457358
philiptaron merged 1 commit intoNixOS:masterfrom
trofi:whisper-disable-pie

Conversation

@trofi
Copy link
Contributor

@trofi trofi commented Oct 31, 2025

Without the change the build fails as https://hydra.nixos.org/build/310775846:

ld: libs/libz.a(deflate.o): relocation R_X86_64_32S against `.rodata' can not be used when making a PIE object; recompile with -fPIE
ld: failed to set dynamic section sizes: bad value

It happens because libs/libz.a comes from a
"source" tarball. As some libraries are not packaged in nixpkgs let's fall back to -no-pie.

Things done

  • Built on platform:
    • x86_64-linux
    • aarch64-linux
    • x86_64-darwin
    • aarch64-darwin
  • Tested, as applicable:
  • Ran nixpkgs-review on this PR. See nixpkgs-review usage.
  • Tested basic functionality of all binary files, usually in ./result/bin/.
  • Nixpkgs Release Notes
    • Package update: when the change is major or breaking.
  • NixOS Release Notes
    • Module addition: when adding a new NixOS module.
    • Module update: when the change is significant.
  • Fits CONTRIBUTING.md, pkgs/README.md, maintainers/README.md and other READMEs.

Add a 👍 reaction to pull requests you find important.

@nixpkgs-ci nixpkgs-ci bot added 10.rebuild-linux: 1-10 This PR causes between 1 and 10 packages to rebuild on Linux. 10.rebuild-darwin: 0 This PR does not cause any packages to rebuild on Darwin. 10.rebuild-linux: 1 This PR causes 1 package to rebuild on Linux. labels Oct 31, 2025
@trofi
Copy link
Contributor Author

trofi commented Oct 31, 2025

nixpkgs-review result

Generated using nixpkgs-review.

Command: nixpkgs-review pr 457358
Commit: 8fc7f161fe40407590183976bbe45337e9d246fc


x86_64-linux

✅ 2 packages built:
  • nixpkgs-manual
  • whisper

@nix-owners nix-owners bot requested a review from jbedo October 31, 2025 21:43
@nixpkgs-ci nixpkgs-ci bot added the 12.approvals: 1 This PR was reviewed and approved by one person. label Oct 31, 2025
@LunNova
Copy link
Member

LunNova commented Nov 1, 2025

The vendored precompiled libraries are 8 years old so it seems likely they're vulnerable and this package should be marked insecure, eg zlib version would be impacted by CVE-2022-37434.

@LunNova LunNova self-requested a review November 1, 2025 01:40
@nixpkgs-ci nixpkgs-ci bot added 12.approvals: 2 This PR was reviewed and approved by two persons. 12.approved-by: package-maintainer This PR was reviewed and approved by a maintainer listed in any of the changed packages. and removed 12.approvals: 1 This PR was reviewed and approved by one person. labels Nov 1, 2025
Without the change the build fails as https://hydra.nixos.org/build/310775846:

    ld: libs/libz.a(deflate.o): relocation R_X86_64_32S against `.rodata' can not be used when making a PIE object; recompile with -fPIE
    ld: failed to set dynamic section sizes: bad value

It happens because `libs/libz.a` comes from a
"source" tarball. As some libraries are not packaged
in `nixpkgs` let's fall back to `-no-pie`.

Co-authored-by: Justin Bedő <[email protected]>
@trofi trofi force-pushed the whisper-disable-pie branch from 87d7812 to 4f59e2f Compare November 1, 2025 08:12
Copy link
Contributor

@philiptaron philiptaron left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Support the "mark broken" line of argumentation, merging this to unbreak in the interim.

@philiptaron philiptaron added this pull request to the merge queue Nov 1, 2025
Merged via the queue into NixOS:master with commit 3e86dab Nov 1, 2025
28 of 30 checks passed
@nixpkgs-ci nixpkgs-ci bot added 12.approvals: 3+ This PR was reviewed and approved by three or more persons. and removed 12.approvals: 2 This PR was reviewed and approved by two persons. labels Nov 1, 2025
@trofi trofi deleted the whisper-disable-pie branch November 1, 2025 18:08
@LunNova
Copy link
Member

LunNova commented Nov 2, 2025

Setting knownVulnerabilities in #457885

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

10.rebuild-darwin: 0 This PR does not cause any packages to rebuild on Darwin. 10.rebuild-linux: 1-10 This PR causes between 1 and 10 packages to rebuild on Linux. 10.rebuild-linux: 1 This PR causes 1 package to rebuild on Linux. 12.approvals: 3+ This PR was reviewed and approved by three or more persons. 12.approved-by: package-maintainer This PR was reviewed and approved by a maintainer listed in any of the changed packages.

Projects

None yet

Development

Successfully merging this pull request may close these issues.

4 participants