This introduces a patch that improves binary reproducibility since changes in
ordering of the generated code indeed cause changes in the compiled code.
Additionally, since neovim embeds luajit-compiled bytecode into the nvim binary,
we are impacted by https://github.com/LuaJIT/LuaJIT/issues/626 . It is possible
to switch to lua 5.1, but that'd be a regression (luajit has much better
performance and some plugins depend on it, like for example Noice and Lazy).
Disabling `COMPILE_LUA` at build time would cause a runtime penalty each time
neovim starts. Instead, we run luagit with those security settings disabled for
the build-time code generation.
(Note to self: for a minimized testcase this seemed to help at
975ec13f5d5aefcac1dbb15fa867e660e07c93a1 but no longer at
03080b795aa3496ed62d4a0697c9f4767e7ca7e5 of luajit, which is surprising since
that commit doesn't look super relevant. _Also_ surprisingly it does seem to
work in the context of the neovim code generation, though, so that might be
good enough...)
Also, some of the code generation (using mpack and tables) still relies on
stable table ordering. This should eventually be fixed, but as a workaround
we use the luajit-with-stable-string-ids for those generators as well.
Fixes#207841
Without `--with-system-{ffi,expat}` flags, Python will use its own
embedded libraries that are out-of-date. Thanks to it, they can be a
security issue. So let's use our own libraries instead.
This is already what Python 3.x does, so should be safe.
Done with the help of https://github.com/Mindavi/nixpkgs-mark-broken
Tool is still WIP but this is one of the first results.
I manually audited the results and removed some results that were not valid.
Note that some of these packages maybe should have more constrained platforms set
instead of broken set, but I think not being perfectly correct is better than
just keep trying to build all these things and never succeeding.
Some observations:
- Some darwin builds require XCode tools
- aarch64-linux builds sometimes suffer from using gcc9
- gcc9 is getting older and misses some new libraries/features
- Sometimes tools try to do system detection or expect some explicit settings for
platforms that are not x86_64-linux
This PR strips down the modified `python27` derivation used by `resholve`. The
idea is to reduce the possible security issues, and also to make it easier to
bootstrap.
