nordic-dev.net/nixpkgs
nordic-dev.net/nixpkgs
2
0
Fork 0
mirror of https://github.com/NixOS/nixpkgs.git synced 2024-11-25 08:23:09 +00:00
Code Issues Packages Projects Releases Wiki Activity
3616cfb8d9
nixpkgs/pkgs/build-support/replace-dependencies.nix
Alois Wohlschlager 3616cfb8d9 replaceDependencies: add support for ca-derivations 
Unlike regular input-addressed or fixed-output derivations, floating and
deferred derivations do not have their store path available at evaluation time,
so their outPath is a placeholder. The following changes are needed for
replaceDependencies to continue working:
* Detect the placeholder and retrieve the store path using another IFD hack
  when collecting the rewrite plan.
* Try to obtain the derivation name needed for replaceDirectDependencies from
  the derivation arguments if a placeholder is detected.
* Move the length mismatch detection to build time, since the placeholder has a
  fixed length which is unrelated to the store path.
2024-09-24 12:20:15 +02:00

194 lines
6.5 KiB
Nix
Raw Blame History

{
lib,
runCommandLocal,
replaceDirectDependencies,
}:
# Replace some dependencies in the requisites tree of drv, propagating the change all the way up the tree, even within other replacements, without a full rebuild.
# This can be useful, for example, to patch a security hole in libc and still use your system safely without rebuilding the world.
# This should be a short term solution, as soon as a rebuild can be done the properly rebuilt derivation should be used.
# Each old dependency and the corresponding new dependency MUST have the same-length name, and ideally should have close-to-identical directory layout.
#
# Example: safeFirefox = replaceDependencies {
# drv = firefox;
# replacements = [
# {
# oldDependency = glibc;
# newDependency = glibc.overrideAttrs (oldAttrs: {
# patches = oldAttrs.patches ++ [ ./fix-glibc-hole.patch ];
# });
# }
# {
# oldDependency = libwebp;
# newDependency = libwebp.overrideAttrs (oldAttrs: {
# patches = oldAttrs.patches ++ [ ./fix-libwebp-hole.patch ];
# });
# }
# ];
# };
# This will first rebuild glibc and libwebp with your security patches.
# Then it copies over firefox (and all of its dependencies) without rebuilding further.
# In particular, the glibc dependency of libwebp will be replaced by the patched version as well.
#
# In rare cases, it is possible for the replacement process to cause breakage (for example due to checksum mismatch).
# The cutoffPackages argument can be used to exempt the problematic packages from the replacement process.
{
drv,
replacements,
cutoffPackages ? [ ],
verbose ? true,
}:
let
inherit (builtins) unsafeDiscardStringContext appendContext;
inherit (lib)
trace
listToAttrs
isStorePath
readFile
attrValues
mapAttrs
filter
hasAttr
mapAttrsToList
;
inherit (lib.attrsets) mergeAttrsList;
toContextlessString = x: unsafeDiscardStringContext (toString x);
warn = if verbose then trace else (x: y: y);
referencesOf =
drv:
import
(runCommandLocal "references.nix"
{
exportReferencesGraph = [
"graph"
drv
];
}
''
(echo {
while read path
do
echo " \"$path\" = ["
read count
read count
while [ "0" != "$count" ]
do
read ref_path
if [ "$ref_path" != "$path" ]
then
echo " \"$ref_path\""
fi
count=$(($count - 1))
done
echo " ];"
done < graph
echo }) > $out
''
).outPath;
targetDerivations = [ drv ] ++ map ({ newDependency, ... }: newDependency) replacements;
realisation =
drv:
if isStorePath drv then
# Input-addressed and fixed-output derivations have their realisation as outPath.
toContextlessString drv
else
# Floating and deferred derivations have a placeholder outPath.
# The realisation can only be obtained by performing an actual build.
unsafeDiscardStringContext (
readFile (
runCommandLocal "realisation"
{
env = {
inherit drv;
};
}
''
echo -n "$drv" > $out
''
)
);
referencesMemo = listToAttrs (
map (drv: {
name = realisation drv;
value = referencesOf drv;
}) targetDerivations
);
relevantReferences = mergeAttrsList (attrValues referencesMemo);
# Make sure a derivation is returned even when no replacements are actually applied.
# Yes, even in the stupid edge case where the root derivation itself is replaced.
storePathOrKnownTargetDerivationMemo =
mapAttrs (
drv: _references:
# builtins.storePath does not work in pure evaluation mode, even though it is not impure.
# This reimplementation in Nix works as long as the path is already allowed in the evaluation state.
# This is always the case here, because all paths come from the closure of the original derivation.
appendContext drv { ${drv}.path = true; }
) relevantReferences
// listToAttrs (
map (drv: {
name = realisation drv;
value = drv;
}) targetDerivations
);
relevantReplacements = filter (
{ oldDependency, newDependency }:
if toString oldDependency == toString newDependency then
warn "replaceDependencies: attempting to replace dependency ${oldDependency} of ${drv} with itself"
# Attempting to replace a dependency by itself is completely useless, and would only lead to infinite recursion.
# Hence it must not be attempted to apply this replacement in any case.
false
else if !hasAttr (realisation oldDependency) referencesMemo.${realisation drv} then
warn "replaceDependencies: ${drv} does not depend on ${oldDependency}"
# Handle the corner case where one of the other replacements introduces the dependency.
# It would be more correct to not show the warning in this case, but the added complexity is probably not worth it.
true
else
true
) replacements;
rewriteMemo =
# Mind the order of how the three attrsets are merged here.
# The order of precedence needs to be "explicitly specified replacements" > "rewrite exclusion (cutoffPackages)" > "rewrite".
# So the attrset merge order is the opposite.
mapAttrs (
drv: references:
let
rewrittenReferences = filter (dep: dep != drv && toString rewriteMemo.${dep} != dep) references;
rewrites = listToAttrs (
map (reference: {
name = reference;
value = rewriteMemo.${reference};
}) rewrittenReferences
);
in
replaceDirectDependencies {
drv = storePathOrKnownTargetDerivationMemo.${drv};
replacements = mapAttrsToList (name: value: {
oldDependency = name;
newDependency = value;
}) rewrites;
}
) relevantReferences
// listToAttrs (
map (drv: {
name = realisation drv;
value = storePathOrKnownTargetDerivationMemo.${realisation drv};
}) cutoffPackages
)
// listToAttrs (
map (
{ oldDependency, newDependency }:
{
name = realisation oldDependency;
value = rewriteMemo.${realisation newDependency};
}
) relevantReplacements
);
in
rewriteMemo.${realisation drv}
Reference in New Issue View Git Blame Copy Permalink