mirror of
https://github.com/NixOS/nixpkgs.git
synced 2024-12-31 18:15:54 +00:00
2712 lines
95 KiB
XML
2712 lines
95 KiB
XML
<chapter xmlns="http://docbook.org/ns/docbook"
|
||
xmlns:xlink="http://www.w3.org/1999/xlink"
|
||
xml:id="chap-stdenv">
|
||
<title>The Standard Environment</title>
|
||
<para>
|
||
The standard build environment in the Nix Packages collection provides an
|
||
environment for building Unix packages that does a lot of common build tasks
|
||
automatically. In fact, for Unix packages that use the standard
|
||
<literal>./configure; make; make install</literal> build interface, you
|
||
don’t need to write a build script at all; the standard environment does
|
||
everything automatically. If <literal>stdenv</literal> doesn’t do what you
|
||
need automatically, you can easily customise or override the various build
|
||
phases.
|
||
</para>
|
||
<section xml:id="sec-using-stdenv">
|
||
<title>Using <literal>stdenv</literal></title>
|
||
|
||
<para>
|
||
To build a package with the standard environment, you use the function
|
||
<varname>stdenv.mkDerivation</varname>, instead of the primitive built-in
|
||
function <varname>derivation</varname>, e.g.
|
||
<programlisting>
|
||
stdenv.mkDerivation {
|
||
name = "libfoo-1.2.3";
|
||
src = fetchurl {
|
||
url = http://example.org/libfoo-1.2.3.tar.bz2;
|
||
sha256 = "0x2g1jqygyr5wiwg4ma1nd7w4ydpy82z9gkcv8vh2v8dn3y58v5m";
|
||
};
|
||
}</programlisting>
|
||
(<varname>stdenv</varname> needs to be in scope, so if you write this in a
|
||
separate Nix expression from <filename>pkgs/all-packages.nix</filename>, you
|
||
need to pass it as a function argument.) Specifying a
|
||
<varname>name</varname> and a <varname>src</varname> is the absolute minimum
|
||
you need to do. Many packages have dependencies that are not provided in the
|
||
standard environment. It’s usually sufficient to specify those
|
||
dependencies in the <varname>buildInputs</varname> attribute:
|
||
<programlisting>
|
||
stdenv.mkDerivation {
|
||
name = "libfoo-1.2.3";
|
||
...
|
||
buildInputs = [libbar perl ncurses];
|
||
}</programlisting>
|
||
This attribute ensures that the <filename>bin</filename> subdirectories of
|
||
these packages appear in the <envar>PATH</envar> environment variable during
|
||
the build, that their <filename>include</filename> subdirectories are
|
||
searched by the C compiler, and so on. (See
|
||
<xref linkend="ssec-setup-hooks"/> for details.)
|
||
</para>
|
||
|
||
<para>
|
||
Often it is necessary to override or modify some aspect of the build. To
|
||
make this easier, the standard environment breaks the package build into a
|
||
number of <emphasis>phases</emphasis>, all of which can be overridden or
|
||
modified individually: unpacking the sources, applying patches, configuring,
|
||
building, and installing. (There are some others; see
|
||
<xref linkend="sec-stdenv-phases"/>.) For instance, a package that doesn’t
|
||
supply a makefile but instead has to be compiled “manually” could be
|
||
handled like this:
|
||
<programlisting>
|
||
stdenv.mkDerivation {
|
||
name = "fnord-4.5";
|
||
...
|
||
buildPhase = ''
|
||
gcc foo.c -o foo
|
||
'';
|
||
installPhase = ''
|
||
mkdir -p $out/bin
|
||
cp foo $out/bin
|
||
'';
|
||
}</programlisting>
|
||
(Note the use of <literal>''</literal>-style string literals, which are very
|
||
convenient for large multi-line script fragments because they don’t need
|
||
escaping of <literal>"</literal> and <literal>\</literal>, and because
|
||
indentation is intelligently removed.)
|
||
</para>
|
||
|
||
<para>
|
||
There are many other attributes to customise the build. These are listed in
|
||
<xref linkend="ssec-stdenv-attributes"/>.
|
||
</para>
|
||
|
||
<para>
|
||
While the standard environment provides a generic builder, you can still
|
||
supply your own build script:
|
||
<programlisting>
|
||
stdenv.mkDerivation {
|
||
name = "libfoo-1.2.3";
|
||
...
|
||
builder = ./builder.sh;
|
||
}</programlisting>
|
||
where the builder can do anything it wants, but typically starts with
|
||
<programlisting>
|
||
source $stdenv/setup
|
||
</programlisting>
|
||
to let <literal>stdenv</literal> set up the environment (e.g., process the
|
||
<varname>buildInputs</varname>). If you want, you can still use
|
||
<literal>stdenv</literal>’s generic builder:
|
||
<programlisting>
|
||
source $stdenv/setup
|
||
|
||
buildPhase() {
|
||
echo "... this is my custom build phase ..."
|
||
gcc foo.c -o foo
|
||
}
|
||
|
||
installPhase() {
|
||
mkdir -p $out/bin
|
||
cp foo $out/bin
|
||
}
|
||
|
||
genericBuild
|
||
</programlisting>
|
||
</para>
|
||
</section>
|
||
<section xml:id="sec-tools-of-stdenv">
|
||
<title>Tools provided by <literal>stdenv</literal></title>
|
||
|
||
<para>
|
||
The standard environment provides the following packages:
|
||
<itemizedlist>
|
||
<listitem>
|
||
<para>
|
||
The GNU C Compiler, configured with C and C++ support.
|
||
</para>
|
||
</listitem>
|
||
<listitem>
|
||
<para>
|
||
GNU coreutils (contains a few dozen standard Unix commands).
|
||
</para>
|
||
</listitem>
|
||
<listitem>
|
||
<para>
|
||
GNU findutils (contains <command>find</command>).
|
||
</para>
|
||
</listitem>
|
||
<listitem>
|
||
<para>
|
||
GNU diffutils (contains <command>diff</command>, <command>cmp</command>).
|
||
</para>
|
||
</listitem>
|
||
<listitem>
|
||
<para>
|
||
GNU <command>sed</command>.
|
||
</para>
|
||
</listitem>
|
||
<listitem>
|
||
<para>
|
||
GNU <command>grep</command>.
|
||
</para>
|
||
</listitem>
|
||
<listitem>
|
||
<para>
|
||
GNU <command>awk</command>.
|
||
</para>
|
||
</listitem>
|
||
<listitem>
|
||
<para>
|
||
GNU <command>tar</command>.
|
||
</para>
|
||
</listitem>
|
||
<listitem>
|
||
<para>
|
||
<command>gzip</command>, <command>bzip2</command> and
|
||
<command>xz</command>.
|
||
</para>
|
||
</listitem>
|
||
<listitem>
|
||
<para>
|
||
GNU Make. It has been patched to provide <quote>nested</quote> output
|
||
that can be fed into the <command>nix-log2xml</command> command and
|
||
<command>log2html</command> stylesheet to create a structured, readable
|
||
output of the build steps performed by Make.
|
||
</para>
|
||
</listitem>
|
||
<listitem>
|
||
<para>
|
||
Bash. This is the shell used for all builders in the Nix Packages
|
||
collection. Not using <command>/bin/sh</command> removes a large source
|
||
of portability problems.
|
||
</para>
|
||
</listitem>
|
||
<listitem>
|
||
<para>
|
||
The <command>patch</command> command.
|
||
</para>
|
||
</listitem>
|
||
</itemizedlist>
|
||
</para>
|
||
|
||
<para>
|
||
On Linux, <literal>stdenv</literal> also includes the
|
||
<command>patchelf</command> utility.
|
||
</para>
|
||
</section>
|
||
<section xml:id="ssec-stdenv-dependencies">
|
||
<title>Specifying dependencies</title>
|
||
|
||
<para>
|
||
As described in the Nix manual, almost any <filename>*.drv</filename> store
|
||
path in a derivation's attribute set will induce a dependency on that
|
||
derivation. <varname>mkDerivation</varname>, however, takes a few attributes
|
||
intended to, between them, include all the dependencies of a package. This
|
||
is done both for structure and consistency, but also so that certain other
|
||
setup can take place. For example, certain dependencies need their bin
|
||
directories added to the <envar>PATH</envar>. That is built-in, but other
|
||
setup is done via a pluggable mechanism that works in conjunction with these
|
||
dependency attributes. See <xref linkend="ssec-setup-hooks"/> for details.
|
||
</para>
|
||
|
||
<para>
|
||
Dependencies can be broken down along three axes: their host and target
|
||
platforms relative to the new derivation's, and whether they are propagated.
|
||
The platform distinctions are motivated by cross compilation; see
|
||
<xref linkend="chap-cross"/> for exactly what each platform means.
|
||
<footnote xml:id="footnote-stdenv-ignored-build-platform">
|
||
<para>
|
||
The build platform is ignored because it is a mere implementation detail
|
||
of the package satisfying the dependency: As a general programming
|
||
principle, dependencies are always <emphasis>specified</emphasis> as
|
||
interfaces, not concrete implementation.
|
||
</para>
|
||
</footnote>
|
||
But even if one is not cross compiling, the platforms imply whether or not
|
||
the dependency is needed at run-time or build-time, a concept that makes
|
||
perfect sense outside of cross compilation. For now, the run-time/build-time
|
||
distinction is just a hint for mental clarity, but in the future it perhaps
|
||
could be enforced.
|
||
</para>
|
||
|
||
<para>
|
||
The extension of <envar>PATH</envar> with dependencies, alluded to above,
|
||
proceeds according to the relative platforms alone. The process is carried
|
||
out only for dependencies whose host platform matches the new derivation's
|
||
build platform–i.e. which run on the platform where the new derivation
|
||
will be built.
|
||
<footnote xml:id="footnote-stdenv-native-dependencies-in-path">
|
||
<para>
|
||
Currently, that means for native builds all dependencies are put on the
|
||
<envar>PATH</envar>. But in the future that may not be the case for sake
|
||
of matching cross: the platforms would be assumed to be unique for native
|
||
and cross builds alike, so only the <varname>depsBuild*</varname> and
|
||
<varname>nativeBuildDependencies</varname> dependencies would affect the
|
||
<envar>PATH</envar>.
|
||
</para>
|
||
</footnote>
|
||
For each dependency <replaceable>dep</replaceable> of those dependencies,
|
||
<filename><replaceable>dep</replaceable>/bin</filename>, if present, is
|
||
added to the <envar>PATH</envar> environment variable.
|
||
</para>
|
||
|
||
<para>
|
||
The dependency is propagated when it forces some of its other-transitive
|
||
(non-immediate) downstream dependencies to also take it on as an immediate
|
||
dependency. Nix itself already takes a package's transitive dependencies
|
||
into account, but this propagation ensures nixpkgs-specific infrastructure
|
||
like setup hooks (mentioned above) also are run as if the propagated
|
||
dependency.
|
||
</para>
|
||
|
||
<para>
|
||
It is important to note dependencies are not necessary propagated as the
|
||
same sort of dependency that they were before, but rather as the
|
||
corresponding sort so that the platform rules still line up. The exact rules
|
||
for dependency propagation can be given by assigning each sort of dependency
|
||
two integers based one how it's host and target platforms are offset from
|
||
the depending derivation's platforms. Those offsets are given are given
|
||
below in the descriptions of each dependency list attribute.
|
||
Algorithmically, we traverse propagated inputs, accumulating every
|
||
propagated dep's propagated deps and adjusting them to account for the
|
||
"shift in perspective" described by the current dep's platform offsets. This
|
||
results in sort a transitive closure of the dependency relation, with the
|
||
offsets being approximately summed when two dependency links are combined.
|
||
We also prune transitive deps whose combined offsets go out-of-bounds, which
|
||
can be viewed as a filter over that transitive closure removing dependencies
|
||
that are blatantly absurd.
|
||
</para>
|
||
|
||
<para>
|
||
We can define the process precisely with
|
||
<link xlink:href="https://en.wikipedia.org/wiki/Natural_deduction">Natural
|
||
Deduction</link> using the inference rules. This probably seems a bit
|
||
obtuse, but so is the bash code that actually implements it!
|
||
<footnote xml:id="footnote-stdenv-find-inputs-location">
|
||
<para>
|
||
The <function>findInputs</function> function, currently residing in
|
||
<filename>pkgs/stdenv/generic/setup.sh</filename>, implements the
|
||
propagation logic.
|
||
</para>
|
||
</footnote>
|
||
They're confusing in very different ways so...hopefully if something doesn't
|
||
make sense in one presentation, it does in the other!
|
||
<programlisting>
|
||
let mapOffset(h, t, i) = i + (if i <= 0 then h else t - 1)
|
||
|
||
propagated-dep(h0, t0, A, B)
|
||
propagated-dep(h1, t1, B, C)
|
||
h0 + h1 in {-1, 0, 1}
|
||
h0 + t1 in {-1, 0, 1}
|
||
-------------------------------------- Transitive property
|
||
propagated-dep(mapOffset(h0, t0, h1),
|
||
mapOffset(h0, t0, t1),
|
||
A, C)</programlisting>
|
||
<programlisting>
|
||
let mapOffset(h, t, i) = i + (if i <= 0 then h else t - 1)
|
||
|
||
dep(h0, _, A, B)
|
||
propagated-dep(h1, t1, B, C)
|
||
h0 + h1 in {-1, 0, 1}
|
||
h0 + t1 in {-1, 0, -1}
|
||
-------------------------------------- Take immediate deps' propagated deps
|
||
propagated-dep(mapOffset(h0, t0, h1),
|
||
mapOffset(h0, t0, t1),
|
||
A, C)</programlisting>
|
||
<programlisting>
|
||
propagated-dep(h, t, A, B)
|
||
-------------------------------------- Propagated deps count as deps
|
||
dep(h, t, A, B)</programlisting>
|
||
Some explanation of this monstrosity is in order. In the common case, the
|
||
target offset of a dependency is the successor to the target offset:
|
||
<literal>t = h + 1</literal>. That means that:
|
||
<programlisting>
|
||
let f(h, t, i) = i + (if i <= 0 then h else t - 1)
|
||
let f(h, h + 1, i) = i + (if i <= 0 then h else (h + 1) - 1)
|
||
let f(h, h + 1, i) = i + (if i <= 0 then h else h)
|
||
let f(h, h + 1, i) = i + h
|
||
</programlisting>
|
||
This is where the "sum-like" comes from above: We can just sum all the host
|
||
offset to get the host offset of the transitive dependency. The target
|
||
offset is the transitive dep is simply the host offset + 1, just as it was
|
||
with the dependencies composed to make this transitive one; it can be
|
||
ignored as it doesn't add any new information.
|
||
</para>
|
||
|
||
<para>
|
||
Because of the bounds checks, the uncommon cases are <literal>h =
|
||
t</literal> and <literal>h + 2 = t</literal>. In the former case, the
|
||
motivation for <function>mapOffset</function> is that since its host and
|
||
target platforms are the same, no transitive dep of it should be able to
|
||
"discover" an offset greater than its reduced target offsets.
|
||
<function>mapOffset</function> effectively "squashes" all its transitive
|
||
dependencies' offsets so that none will ever be greater than the target
|
||
offset of the original <literal>h = t</literal> package. In the other case,
|
||
<literal>h + 1</literal> is skipped over between the host and target
|
||
offsets. Instead of squashing the offsets, we need to "rip" them apart so no
|
||
transitive dependencies' offset is that one.
|
||
</para>
|
||
|
||
<para>
|
||
Overall, the unifying theme here is that propagation shouldn't be
|
||
introducing transitive dependencies involving platforms the needing package
|
||
is unaware of. The offset bounds checking and definition of
|
||
<function>mapOffset</function> together ensure that this is the case.
|
||
Discovering a new offset is discovering a new platform, and since those
|
||
platforms weren't in the derivation "spec" of the needing package, they
|
||
cannot be relevant. From a capability perspective, we can imagine that the
|
||
host and target platforms of a package are the capabilities a package
|
||
requires, and the depending package must provide the capability to the
|
||
dependency.
|
||
</para>
|
||
|
||
<variablelist>
|
||
<title>Variables specifying dependencies</title>
|
||
<varlistentry>
|
||
<term>
|
||
<varname>depsBuildBuild</varname>
|
||
</term>
|
||
<listitem>
|
||
<para>
|
||
A list of dependencies whose host and target platforms are the new
|
||
derivation's build platform. This means a <literal>-1</literal> host and
|
||
<literal>-1</literal> target offset from the new derivation's platforms.
|
||
They are programs/libraries used at build time that furthermore produce
|
||
programs/libraries also used at build time. If the dependency doesn't
|
||
care about the target platform (i.e. isn't a compiler or similar tool),
|
||
put it in <varname>nativeBuildInputs</varname>instead. The most common
|
||
use for this <literal>buildPackages.stdenv.cc</literal>, the default C
|
||
compiler for this role. That example crops up more than one might think
|
||
in old commonly used C libraries.
|
||
</para>
|
||
<para>
|
||
Since these packages are able to be run at build time, that are always
|
||
added to the <envar>PATH</envar>, as described above. But since these
|
||
packages are only guaranteed to be able to run then, they shouldn't
|
||
persist as run-time dependencies. This isn't currently enforced, but
|
||
could be in the future.
|
||
</para>
|
||
</listitem>
|
||
</varlistentry>
|
||
<varlistentry>
|
||
<term>
|
||
<varname>nativeBuildInputs</varname>
|
||
</term>
|
||
<listitem>
|
||
<para>
|
||
A list of dependencies whose host platform is the new derivation's build
|
||
platform, and target platform is the new derivation's host platform. This
|
||
means a <literal>-1</literal> host offset and <literal>0</literal> target
|
||
offset from the new derivation's platforms. They are programs/libraries
|
||
used at build time that, if they are a compiler or similar tool, produce
|
||
code to run at run time—i.e. tools used to build the new derivation. If
|
||
the dependency doesn't care about the target platform (i.e. isn't a
|
||
compiler or similar tool), put it here, rather than in
|
||
<varname>depsBuildBuild</varname> or <varname>depsBuildTarget</varname>.
|
||
This would be called <varname>depsBuildHost</varname> but for historical
|
||
continuity.
|
||
</para>
|
||
<para>
|
||
Since these packages are able to be run at build time, that are added to
|
||
the <envar>PATH</envar>, as described above. But since these packages
|
||
only are guaranteed to be able to run then, they shouldn't persist as
|
||
run-time dependencies. This isn't currently enforced, but could be in the
|
||
future.
|
||
</para>
|
||
</listitem>
|
||
</varlistentry>
|
||
<varlistentry>
|
||
<term>
|
||
<varname>depsBuildTarget</varname>
|
||
</term>
|
||
<listitem>
|
||
<para>
|
||
A list of dependencies whose host platform is the new derivation's build
|
||
platform, and target platform is the new derivation's target platform.
|
||
This means a <literal>-1</literal> host offset and <literal>1</literal>
|
||
target offset from the new derivation's platforms. They are programs used
|
||
at build time that produce code to run at run with code produced by the
|
||
depending package. Most commonly, these would tools used to build the
|
||
runtime or standard library the currently-being-built compiler will
|
||
inject into any code it compiles. In many cases, the currently-being
|
||
built compiler is itself employed for that task, but when that compiler
|
||
won't run (i.e. its build and host platform differ) this is not possible.
|
||
Other times, the compiler relies on some other tool, like binutils, that
|
||
is always built separately so the dependency is unconditional.
|
||
</para>
|
||
<para>
|
||
This is a somewhat confusing dependency to wrap ones head around, and for
|
||
good reason. As the only one where the platform offsets are not adjacent
|
||
integers, it requires thinking of a bootstrapping stage
|
||
<emphasis>two</emphasis> away from the current one. It and it's use-case
|
||
go hand in hand and are both considered poor form: try not to need this
|
||
sort dependency, and try not avoid building standard libraries / runtimes
|
||
in the same derivation as the compiler produces code using them. Instead
|
||
strive to build those like a normal library, using the newly-built
|
||
compiler just as a normal library would. In short, do not use this
|
||
attribute unless you are packaging a compiler and are sure it is needed.
|
||
</para>
|
||
<para>
|
||
Since these packages are able to be run at build time, that are added to
|
||
the <envar>PATH</envar>, as described above. But since these packages
|
||
only are guaranteed to be able to run then, they shouldn't persist as
|
||
run-time dependencies. This isn't currently enforced, but could be in the
|
||
future.
|
||
</para>
|
||
</listitem>
|
||
</varlistentry>
|
||
<varlistentry>
|
||
<term>
|
||
<varname>depsHostHost</varname>
|
||
</term>
|
||
<listitem>
|
||
<para>
|
||
A list of dependencies whose host and target platforms match the new
|
||
derivation's host platform. This means a both <literal>0</literal> host
|
||
offset and <literal>0</literal> target offset from the new derivation's
|
||
host platform. These are packages used at run-time to generate code also
|
||
used at run-time. In practice, that would usually be tools used by
|
||
compilers for metaprogramming/macro systems, or libraries used by the
|
||
macros/metaprogramming code itself. It's always preferable to use a
|
||
<varname>depsBuildBuild</varname> dependency in the derivation being
|
||
built than a <varname>depsHostHost</varname> on the tool doing the
|
||
building for this purpose.
|
||
</para>
|
||
</listitem>
|
||
</varlistentry>
|
||
<varlistentry>
|
||
<term>
|
||
<varname>buildInputs</varname>
|
||
</term>
|
||
<listitem>
|
||
<para>
|
||
A list of dependencies whose host platform and target platform match the
|
||
new derivation's. This means a <literal>0</literal> host offset and
|
||
<literal>1</literal> target offset from the new derivation's host
|
||
platform. This would be called <varname>depsHostTarget</varname> but for
|
||
historical continuity. If the dependency doesn't care about the target
|
||
platform (i.e. isn't a compiler or similar tool), put it here, rather
|
||
than in <varname>depsBuildBuild</varname>.
|
||
</para>
|
||
<para>
|
||
These often are programs/libraries used by the new derivation at
|
||
<emphasis>run</emphasis>-time, but that isn't always the case. For
|
||
example, the machine code in a statically linked library is only used at
|
||
run time, but the derivation containing the library is only needed at
|
||
build time. Even in the dynamic case, the library may also be needed at
|
||
build time to appease the linker.
|
||
</para>
|
||
</listitem>
|
||
</varlistentry>
|
||
<varlistentry>
|
||
<term>
|
||
<varname>depsTargetTarget</varname>
|
||
</term>
|
||
<listitem>
|
||
<para>
|
||
A list of dependencies whose host platform matches the new derivation's
|
||
target platform. This means a <literal>1</literal> offset from the new
|
||
derivation's platforms. These are packages that run on the target
|
||
platform, e.g. the standard library or run-time deps of standard library
|
||
that a compiler insists on knowing about. It's poor form in almost all
|
||
cases for a package to depend on another from a future stage [future
|
||
stage corresponding to positive offset]. Do not use this attribute unless
|
||
you are packaging a compiler and are sure it is needed.
|
||
</para>
|
||
</listitem>
|
||
</varlistentry>
|
||
<varlistentry>
|
||
<term>
|
||
<varname>depsBuildBuildPropagated</varname>
|
||
</term>
|
||
<listitem>
|
||
<para>
|
||
The propagated equivalent of <varname>depsBuildBuild</varname>. This
|
||
perhaps never ought to be used, but it is included for consistency [see
|
||
below for the others].
|
||
</para>
|
||
</listitem>
|
||
</varlistentry>
|
||
<varlistentry>
|
||
<term>
|
||
<varname>propagatedNativeBuildInputs</varname>
|
||
</term>
|
||
<listitem>
|
||
<para>
|
||
The propagated equivalent of <varname>nativeBuildInputs</varname>. This
|
||
would be called <varname>depsBuildHostPropagated</varname> but for
|
||
historical continuity. For example, if package <varname>Y</varname> has
|
||
<literal>propagatedNativeBuildInputs = [X]</literal>, and package
|
||
<varname>Z</varname> has <literal>buildInputs = [Y]</literal>, then
|
||
package <varname>Z</varname> will be built as if it included package
|
||
<varname>X</varname> in its <varname>nativeBuildInputs</varname>. If
|
||
instead, package <varname>Z</varname> has <literal>nativeBuildInputs =
|
||
[Y]</literal>, then <varname>Z</varname> will be built as if it included
|
||
<varname>X</varname> in the <varname>depsBuildBuild</varname> of package
|
||
<varname>Z</varname>, because of the sum of the two <literal>-1</literal>
|
||
host offsets.
|
||
</para>
|
||
</listitem>
|
||
</varlistentry>
|
||
<varlistentry>
|
||
<term>
|
||
<varname>depsBuildTargetPropagated</varname>
|
||
</term>
|
||
<listitem>
|
||
<para>
|
||
The propagated equivalent of <varname>depsBuildTarget</varname>. This is
|
||
prefixed for the same reason of alerting potential users.
|
||
</para>
|
||
</listitem>
|
||
</varlistentry>
|
||
<varlistentry>
|
||
<term>
|
||
<varname>depsHostHostPropagated</varname>
|
||
</term>
|
||
<listitem>
|
||
<para>
|
||
The propagated equivalent of <varname>depsHostHost</varname>.
|
||
</para>
|
||
</listitem>
|
||
</varlistentry>
|
||
<varlistentry>
|
||
<term>
|
||
<varname>propagatedBuildInputs</varname>
|
||
</term>
|
||
<listitem>
|
||
<para>
|
||
The propagated equivalent of <varname>buildInputs</varname>. This would
|
||
be called <varname>depsHostTargetPropagated</varname> but for historical
|
||
continuity.
|
||
</para>
|
||
</listitem>
|
||
</varlistentry>
|
||
<varlistentry>
|
||
<term>
|
||
<varname>depsTargetTarget</varname>
|
||
</term>
|
||
<listitem>
|
||
<para>
|
||
The propagated equivalent of <varname>depsTargetTarget</varname>. This is
|
||
prefixed for the same reason of alerting potential users.
|
||
</para>
|
||
</listitem>
|
||
</varlistentry>
|
||
</variablelist>
|
||
</section>
|
||
<section xml:id="ssec-stdenv-attributes">
|
||
<title>Attributes</title>
|
||
|
||
<variablelist>
|
||
<title>Variables affecting <literal>stdenv</literal> initialisation</title>
|
||
<varlistentry>
|
||
<term>
|
||
<varname>NIX_DEBUG</varname>
|
||
</term>
|
||
<listitem>
|
||
<para>
|
||
A natural number indicating how much information to log. If set to 1 or
|
||
higher, <literal>stdenv</literal> will print moderate debug information
|
||
during the build. In particular, the <command>gcc</command> and
|
||
<command>ld</command> wrapper scripts will print out the complete command
|
||
line passed to the wrapped tools. If set to 6 or higher, the
|
||
<literal>stdenv</literal> setup script will be run with <literal>set
|
||
-x</literal> tracing. If set to 7 or higher, the <command>gcc</command>
|
||
and <command>ld</command> wrapper scripts will also be run with
|
||
<literal>set -x</literal> tracing.
|
||
</para>
|
||
</listitem>
|
||
</varlistentry>
|
||
</variablelist>
|
||
|
||
<variablelist>
|
||
<title>Variables affecting build properties</title>
|
||
<varlistentry>
|
||
<term>
|
||
<varname>enableParallelBuilding</varname>
|
||
</term>
|
||
<listitem>
|
||
<para>
|
||
If set to <literal>true</literal>, <literal>stdenv</literal> will pass
|
||
specific flags to <literal>make</literal> and other build tools to enable
|
||
parallel building with up to <literal>build-cores</literal> workers.
|
||
</para>
|
||
<para>
|
||
Unless set to <literal>false</literal>, some build systems with good
|
||
support for parallel building including <literal>cmake</literal>,
|
||
<literal>meson</literal>, and <literal>qmake</literal> will set it to
|
||
<literal>true</literal>.
|
||
</para>
|
||
</listitem>
|
||
</varlistentry>
|
||
<varlistentry>
|
||
<term>
|
||
<varname>preferLocalBuild</varname>
|
||
</term>
|
||
<listitem>
|
||
<para>
|
||
If set, specifies that the package is so lightweight in terms of build
|
||
operations (e.g. write a text file from a Nix string to the store) that
|
||
there's no need to look for it in binary caches -- it's faster to just
|
||
build it locally. It also tells Hydra and other facilities that this
|
||
package doesn't need to be exported in binary caches (noone would use it,
|
||
after all).
|
||
</para>
|
||
</listitem>
|
||
</varlistentry>
|
||
</variablelist>
|
||
|
||
<variablelist>
|
||
<title>Special variables</title>
|
||
<varlistentry>
|
||
<term>
|
||
<varname>passthru</varname>
|
||
</term>
|
||
<listitem>
|
||
<para>
|
||
This is an attribute set which can be filled with arbitrary values. For
|
||
example:
|
||
<programlisting>
|
||
passthru = {
|
||
foo = "bar";
|
||
baz = {
|
||
value1 = 4;
|
||
value2 = 5;
|
||
};
|
||
}
|
||
</programlisting>
|
||
</para>
|
||
<para>
|
||
Values inside it are not passed to the builder, so you can change them
|
||
without triggering a rebuild. However, they can be accessed outside of a
|
||
derivation directly, as if they were set inside a derivation itself, e.g.
|
||
<literal>hello.baz.value1</literal>. We don't specify any usage or schema
|
||
of <literal>passthru</literal> - it is meant for values that would be
|
||
useful outside the derivation in other parts of a Nix expression (e.g. in
|
||
other derivations). An example would be to convey some specific
|
||
dependency of your derivation which contains a program with plugins
|
||
support. Later, others who make derivations with plugins can use
|
||
passed-through dependency to ensure that their plugin would be
|
||
binary-compatible with built program.
|
||
</para>
|
||
</listitem>
|
||
</varlistentry>
|
||
</variablelist>
|
||
</section>
|
||
<section xml:id="sec-stdenv-phases">
|
||
<title>Phases</title>
|
||
|
||
<para>
|
||
The generic builder has a number of <emphasis>phases</emphasis>. Package
|
||
builds are split into phases to make it easier to override specific parts of
|
||
the build (e.g., unpacking the sources or installing the binaries).
|
||
Furthermore, it allows a nicer presentation of build logs in the Nix build
|
||
farm.
|
||
</para>
|
||
|
||
<para>
|
||
Each phase can be overridden in its entirety either by setting the
|
||
environment variable <varname><replaceable>name</replaceable>Phase</varname>
|
||
to a string containing some shell commands to be executed, or by redefining
|
||
the shell function <varname><replaceable>name</replaceable>Phase</varname>.
|
||
The former is convenient to override a phase from the derivation, while the
|
||
latter is convenient from a build script. However, typically one only wants
|
||
to <emphasis>add</emphasis> some commands to a phase, e.g. by defining
|
||
<literal>postInstall</literal> or <literal>preFixup</literal>, as skipping
|
||
some of the default actions may have unexpected consequences.
|
||
</para>
|
||
|
||
<section xml:id="ssec-controlling-phases">
|
||
<title>Controlling phases</title>
|
||
|
||
<para>
|
||
There are a number of variables that control what phases are executed and
|
||
in what order:
|
||
<variablelist>
|
||
<title>Variables affecting phase control</title>
|
||
<varlistentry>
|
||
<term>
|
||
<varname>phases</varname>
|
||
</term>
|
||
<listitem>
|
||
<para>
|
||
Specifies the phases. You can change the order in which phases are
|
||
executed, or add new phases, by setting this variable. If it’s not
|
||
set, the default value is used, which is <literal>$prePhases
|
||
unpackPhase patchPhase $preConfigurePhases configurePhase
|
||
$preBuildPhases buildPhase checkPhase $preInstallPhases installPhase
|
||
fixupPhase $preDistPhases distPhase $postPhases</literal>.
|
||
</para>
|
||
<para>
|
||
Usually, if you just want to add a few phases, it’s more convenient
|
||
to set one of the variables below (such as
|
||
<varname>preInstallPhases</varname>), as you then don’t specify all
|
||
the normal phases.
|
||
</para>
|
||
</listitem>
|
||
</varlistentry>
|
||
<varlistentry>
|
||
<term>
|
||
<varname>prePhases</varname>
|
||
</term>
|
||
<listitem>
|
||
<para>
|
||
Additional phases executed before any of the default phases.
|
||
</para>
|
||
</listitem>
|
||
</varlistentry>
|
||
<varlistentry>
|
||
<term>
|
||
<varname>preConfigurePhases</varname>
|
||
</term>
|
||
<listitem>
|
||
<para>
|
||
Additional phases executed just before the configure phase.
|
||
</para>
|
||
</listitem>
|
||
</varlistentry>
|
||
<varlistentry>
|
||
<term>
|
||
<varname>preBuildPhases</varname>
|
||
</term>
|
||
<listitem>
|
||
<para>
|
||
Additional phases executed just before the build phase.
|
||
</para>
|
||
</listitem>
|
||
</varlistentry>
|
||
<varlistentry>
|
||
<term>
|
||
<varname>preInstallPhases</varname>
|
||
</term>
|
||
<listitem>
|
||
<para>
|
||
Additional phases executed just before the install phase.
|
||
</para>
|
||
</listitem>
|
||
</varlistentry>
|
||
<varlistentry>
|
||
<term>
|
||
<varname>preFixupPhases</varname>
|
||
</term>
|
||
<listitem>
|
||
<para>
|
||
Additional phases executed just before the fixup phase.
|
||
</para>
|
||
</listitem>
|
||
</varlistentry>
|
||
<varlistentry>
|
||
<term>
|
||
<varname>preDistPhases</varname>
|
||
</term>
|
||
<listitem>
|
||
<para>
|
||
Additional phases executed just before the distribution phase.
|
||
</para>
|
||
</listitem>
|
||
</varlistentry>
|
||
<varlistentry>
|
||
<term>
|
||
<varname>postPhases</varname>
|
||
</term>
|
||
<listitem>
|
||
<para>
|
||
Additional phases executed after any of the default phases.
|
||
</para>
|
||
</listitem>
|
||
</varlistentry>
|
||
</variablelist>
|
||
</para>
|
||
</section>
|
||
|
||
<section xml:id="ssec-unpack-phase">
|
||
<title>The unpack phase</title>
|
||
|
||
<para>
|
||
The unpack phase is responsible for unpacking the source code of the
|
||
package. The default implementation of <function>unpackPhase</function>
|
||
unpacks the source files listed in the <envar>src</envar> environment
|
||
variable to the current directory. It supports the following files by
|
||
default:
|
||
<variablelist>
|
||
<varlistentry>
|
||
<term>
|
||
Tar files
|
||
</term>
|
||
<listitem>
|
||
<para>
|
||
These can optionally be compressed using <command>gzip</command>
|
||
(<filename>.tar.gz</filename>, <filename>.tgz</filename> or
|
||
<filename>.tar.Z</filename>), <command>bzip2</command>
|
||
(<filename>.tar.bz2</filename>, <filename>.tbz2</filename> or
|
||
<filename>.tbz</filename>) or <command>xz</command>
|
||
(<filename>.tar.xz</filename>, <filename>.tar.lzma</filename> or
|
||
<filename>.txz</filename>).
|
||
</para>
|
||
</listitem>
|
||
</varlistentry>
|
||
<varlistentry>
|
||
<term>
|
||
Zip files
|
||
</term>
|
||
<listitem>
|
||
<para>
|
||
Zip files are unpacked using <command>unzip</command>. However,
|
||
<command>unzip</command> is not in the standard environment, so you
|
||
should add it to <varname>buildInputs</varname> yourself.
|
||
</para>
|
||
</listitem>
|
||
</varlistentry>
|
||
<varlistentry>
|
||
<term>
|
||
Directories in the Nix store
|
||
</term>
|
||
<listitem>
|
||
<para>
|
||
These are simply copied to the current directory. The hash part of the
|
||
file name is stripped, e.g.
|
||
<filename>/nix/store/1wydxgby13cz...-my-sources</filename> would be
|
||
copied to <filename>my-sources</filename>.
|
||
</para>
|
||
</listitem>
|
||
</varlistentry>
|
||
</variablelist>
|
||
Additional file types can be supported by setting the
|
||
<varname>unpackCmd</varname> variable (see below).
|
||
</para>
|
||
|
||
<para></para>
|
||
|
||
<variablelist>
|
||
<title>Variables controlling the unpack phase</title>
|
||
<varlistentry>
|
||
<term>
|
||
<varname>srcs</varname> / <varname>src</varname>
|
||
</term>
|
||
<listitem>
|
||
<para>
|
||
The list of source files or directories to be unpacked or copied. One of
|
||
these must be set.
|
||
</para>
|
||
</listitem>
|
||
</varlistentry>
|
||
<varlistentry>
|
||
<term>
|
||
<varname>sourceRoot</varname>
|
||
</term>
|
||
<listitem>
|
||
<para>
|
||
After running <function>unpackPhase</function>, the generic builder
|
||
changes the current directory to the directory created by unpacking the
|
||
sources. If there are multiple source directories, you should set
|
||
<varname>sourceRoot</varname> to the name of the intended directory.
|
||
</para>
|
||
</listitem>
|
||
</varlistentry>
|
||
<varlistentry>
|
||
<term>
|
||
<varname>setSourceRoot</varname>
|
||
</term>
|
||
<listitem>
|
||
<para>
|
||
Alternatively to setting <varname>sourceRoot</varname>, you can set
|
||
<varname>setSourceRoot</varname> to a shell command to be evaluated by
|
||
the unpack phase after the sources have been unpacked. This command must
|
||
set <varname>sourceRoot</varname>.
|
||
</para>
|
||
</listitem>
|
||
</varlistentry>
|
||
<varlistentry>
|
||
<term>
|
||
<varname>preUnpack</varname>
|
||
</term>
|
||
<listitem>
|
||
<para>
|
||
Hook executed at the start of the unpack phase.
|
||
</para>
|
||
</listitem>
|
||
</varlistentry>
|
||
<varlistentry>
|
||
<term>
|
||
<varname>postUnpack</varname>
|
||
</term>
|
||
<listitem>
|
||
<para>
|
||
Hook executed at the end of the unpack phase.
|
||
</para>
|
||
</listitem>
|
||
</varlistentry>
|
||
<varlistentry>
|
||
<term>
|
||
<varname>dontMakeSourcesWritable</varname>
|
||
</term>
|
||
<listitem>
|
||
<para>
|
||
If set to <literal>1</literal>, the unpacked sources are
|
||
<emphasis>not</emphasis> made writable. By default, they are made
|
||
writable to prevent problems with read-only sources. For example, copied
|
||
store directories would be read-only without this.
|
||
</para>
|
||
</listitem>
|
||
</varlistentry>
|
||
<varlistentry>
|
||
<term>
|
||
<varname>unpackCmd</varname>
|
||
</term>
|
||
<listitem>
|
||
<para>
|
||
The unpack phase evaluates the string <literal>$unpackCmd</literal> for
|
||
any unrecognised file. The path to the current source file is contained
|
||
in the <varname>curSrc</varname> variable.
|
||
</para>
|
||
</listitem>
|
||
</varlistentry>
|
||
</variablelist>
|
||
</section>
|
||
|
||
<section xml:id="ssec-patch-phase">
|
||
<title>The patch phase</title>
|
||
|
||
<para>
|
||
The patch phase applies the list of patches defined in the
|
||
<varname>patches</varname> variable.
|
||
</para>
|
||
|
||
<variablelist>
|
||
<title>Variables controlling the patch phase</title>
|
||
<varlistentry>
|
||
<term>
|
||
<varname>patches</varname>
|
||
</term>
|
||
<listitem>
|
||
<para>
|
||
The list of patches. They must be in the format accepted by the
|
||
<command>patch</command> command, and may optionally be compressed using
|
||
<command>gzip</command> (<filename>.gz</filename>),
|
||
<command>bzip2</command> (<filename>.bz2</filename>) or
|
||
<command>xz</command> (<filename>.xz</filename>).
|
||
</para>
|
||
</listitem>
|
||
</varlistentry>
|
||
<varlistentry>
|
||
<term>
|
||
<varname>patchFlags</varname>
|
||
</term>
|
||
<listitem>
|
||
<para>
|
||
Flags to be passed to <command>patch</command>. If not set, the argument
|
||
<option>-p1</option> is used, which causes the leading directory
|
||
component to be stripped from the file names in each patch.
|
||
</para>
|
||
</listitem>
|
||
</varlistentry>
|
||
<varlistentry>
|
||
<term>
|
||
<varname>prePatch</varname>
|
||
</term>
|
||
<listitem>
|
||
<para>
|
||
Hook executed at the start of the patch phase.
|
||
</para>
|
||
</listitem>
|
||
</varlistentry>
|
||
<varlistentry>
|
||
<term>
|
||
<varname>postPatch</varname>
|
||
</term>
|
||
<listitem>
|
||
<para>
|
||
Hook executed at the end of the patch phase.
|
||
</para>
|
||
</listitem>
|
||
</varlistentry>
|
||
</variablelist>
|
||
</section>
|
||
|
||
<section xml:id="ssec-configure-phase">
|
||
<title>The configure phase</title>
|
||
|
||
<para>
|
||
The configure phase prepares the source tree for building. The default
|
||
<function>configurePhase</function> runs <filename>./configure</filename>
|
||
(typically an Autoconf-generated script) if it exists.
|
||
</para>
|
||
|
||
<variablelist>
|
||
<title>Variables controlling the configure phase</title>
|
||
<varlistentry>
|
||
<term>
|
||
<varname>configureScript</varname>
|
||
</term>
|
||
<listitem>
|
||
<para>
|
||
The name of the configure script. It defaults to
|
||
<filename>./configure</filename> if it exists; otherwise, the configure
|
||
phase is skipped. This can actually be a command (like <literal>perl
|
||
./Configure.pl</literal>).
|
||
</para>
|
||
</listitem>
|
||
</varlistentry>
|
||
<varlistentry>
|
||
<term>
|
||
<varname>configureFlags</varname>
|
||
</term>
|
||
<listitem>
|
||
<para>
|
||
A list of strings passed as additional arguments to the configure
|
||
script.
|
||
</para>
|
||
</listitem>
|
||
</varlistentry>
|
||
<varlistentry>
|
||
<term>
|
||
<varname>configureFlagsArray</varname>
|
||
</term>
|
||
<listitem>
|
||
<para>
|
||
A shell array containing additional arguments passed to the configure
|
||
script. You must use this instead of <varname>configureFlags</varname>
|
||
if the arguments contain spaces.
|
||
</para>
|
||
</listitem>
|
||
</varlistentry>
|
||
<varlistentry>
|
||
<term>
|
||
<varname>dontAddPrefix</varname>
|
||
</term>
|
||
<listitem>
|
||
<para>
|
||
By default, the flag <literal>--prefix=$prefix</literal> is added to the
|
||
configure flags. If this is undesirable, set this variable to true.
|
||
</para>
|
||
</listitem>
|
||
</varlistentry>
|
||
<varlistentry>
|
||
<term>
|
||
<varname>prefix</varname>
|
||
</term>
|
||
<listitem>
|
||
<para>
|
||
The prefix under which the package must be installed, passed via the
|
||
<option>--prefix</option> option to the configure script. It defaults to
|
||
<option>$out</option>.
|
||
</para>
|
||
</listitem>
|
||
</varlistentry>
|
||
<varlistentry>
|
||
<term>
|
||
<varname>dontAddDisableDepTrack</varname>
|
||
</term>
|
||
<listitem>
|
||
<para>
|
||
By default, the flag <literal>--disable-dependency-tracking</literal> is
|
||
added to the configure flags to speed up Automake-based builds. If this
|
||
is undesirable, set this variable to true.
|
||
</para>
|
||
</listitem>
|
||
</varlistentry>
|
||
<varlistentry>
|
||
<term>
|
||
<varname>dontFixLibtool</varname>
|
||
</term>
|
||
<listitem>
|
||
<para>
|
||
By default, the configure phase applies some special hackery to all
|
||
files called <filename>ltmain.sh</filename> before running the configure
|
||
script in order to improve the purity of Libtool-based packages
|
||
<footnote xml:id="footnote-stdenv-sys-lib-search-path">
|
||
<para>
|
||
It clears the
|
||
<varname>sys_lib_<replaceable>*</replaceable>search_path</varname>
|
||
variables in the Libtool script to prevent Libtool from using
|
||
libraries in <filename>/usr/lib</filename> and such.
|
||
</para>
|
||
</footnote>
|
||
. If this is undesirable, set this variable to true.
|
||
</para>
|
||
</listitem>
|
||
</varlistentry>
|
||
<varlistentry>
|
||
<term>
|
||
<varname>dontDisableStatic</varname>
|
||
</term>
|
||
<listitem>
|
||
<para>
|
||
By default, when the configure script has
|
||
<option>--enable-static</option>, the option
|
||
<option>--disable-static</option> is added to the configure flags.
|
||
</para>
|
||
<para>
|
||
If this is undesirable, set this variable to true.
|
||
</para>
|
||
</listitem>
|
||
</varlistentry>
|
||
<varlistentry>
|
||
<term>
|
||
<varname>configurePlatforms</varname>
|
||
</term>
|
||
<listitem>
|
||
<para>
|
||
By default, when cross compiling, the configure script has
|
||
<option>--build=...</option> and <option>--host=...</option> passed.
|
||
Packages can instead pass <literal>[ "build" "host" "target" ]</literal>
|
||
or a subset to control exactly which platform flags are passed.
|
||
Compilers and other tools should use this to also pass the target
|
||
platform, for example.
|
||
<footnote xml:id="footnote-stdenv-build-time-guessing-impurity">
|
||
<para>
|
||
Eventually these will be passed when in native builds too, to improve
|
||
determinism: build-time guessing, as is done today, is a risk of
|
||
impurity.
|
||
</para>
|
||
</footnote>
|
||
</para>
|
||
</listitem>
|
||
</varlistentry>
|
||
<varlistentry>
|
||
<term>
|
||
<varname>preConfigure</varname>
|
||
</term>
|
||
<listitem>
|
||
<para>
|
||
Hook executed at the start of the configure phase.
|
||
</para>
|
||
</listitem>
|
||
</varlistentry>
|
||
<varlistentry>
|
||
<term>
|
||
<varname>postConfigure</varname>
|
||
</term>
|
||
<listitem>
|
||
<para>
|
||
Hook executed at the end of the configure phase.
|
||
</para>
|
||
</listitem>
|
||
</varlistentry>
|
||
</variablelist>
|
||
</section>
|
||
|
||
<section xml:id="build-phase">
|
||
<title>The build phase</title>
|
||
|
||
<para>
|
||
The build phase is responsible for actually building the package (e.g.
|
||
compiling it). The default <function>buildPhase</function> simply calls
|
||
<command>make</command> if a file named <filename>Makefile</filename>,
|
||
<filename>makefile</filename> or <filename>GNUmakefile</filename> exists in
|
||
the current directory (or the <varname>makefile</varname> is explicitly
|
||
set); otherwise it does nothing.
|
||
</para>
|
||
|
||
<variablelist>
|
||
<title>Variables controlling the build phase</title>
|
||
<varlistentry>
|
||
<term>
|
||
<varname>dontBuild</varname>
|
||
</term>
|
||
<listitem>
|
||
<para>
|
||
Set to true to skip the build phase.
|
||
</para>
|
||
</listitem>
|
||
</varlistentry>
|
||
<varlistentry>
|
||
<term>
|
||
<varname>makefile</varname>
|
||
</term>
|
||
<listitem>
|
||
<para>
|
||
The file name of the Makefile.
|
||
</para>
|
||
</listitem>
|
||
</varlistentry>
|
||
<varlistentry>
|
||
<term>
|
||
<varname>checkInputs</varname>
|
||
</term>
|
||
<listitem>
|
||
<para>
|
||
A list of dependencies used by the phase. This gets included in
|
||
<varname>buildInputs</varname> when <varname>doCheck</varname> is set.
|
||
</para>
|
||
</listitem>
|
||
</varlistentry>
|
||
<varlistentry>
|
||
<term>
|
||
<varname>makeFlags</varname>
|
||
</term>
|
||
<listitem>
|
||
<para>
|
||
A list of strings passed as additional flags to <command>make</command>.
|
||
These flags are also used by the default install and check phase. For
|
||
setting make flags specific to the build phase, use
|
||
<varname>buildFlags</varname> (see below).
|
||
<programlisting>
|
||
makeFlags = [ "PREFIX=$(out)" ];
|
||
</programlisting>
|
||
<note>
|
||
<para>
|
||
The flags are quoted in bash, but environment variables can be
|
||
specified by using the make syntax.
|
||
</para>
|
||
</note>
|
||
</para>
|
||
</listitem>
|
||
</varlistentry>
|
||
<varlistentry>
|
||
<term>
|
||
<varname>makeFlagsArray</varname>
|
||
</term>
|
||
<listitem>
|
||
<para>
|
||
A shell array containing additional arguments passed to
|
||
<command>make</command>. You must use this instead of
|
||
<varname>makeFlags</varname> if the arguments contain spaces, e.g.
|
||
<programlisting>
|
||
makeFlagsArray=(CFLAGS="-O0 -g" LDFLAGS="-lfoo -lbar")
|
||
</programlisting>
|
||
Note that shell arrays cannot be passed through environment variables,
|
||
so you cannot set <varname>makeFlagsArray</varname> in a derivation
|
||
attribute (because those are passed through environment variables): you
|
||
have to define them in shell code.
|
||
</para>
|
||
</listitem>
|
||
</varlistentry>
|
||
<varlistentry>
|
||
<term>
|
||
<varname>buildFlags</varname> / <varname>buildFlagsArray</varname>
|
||
</term>
|
||
<listitem>
|
||
<para>
|
||
A list of strings passed as additional flags to <command>make</command>.
|
||
Like <varname>makeFlags</varname> and <varname>makeFlagsArray</varname>,
|
||
but only used by the build phase.
|
||
</para>
|
||
</listitem>
|
||
</varlistentry>
|
||
<varlistentry>
|
||
<term>
|
||
<varname>preBuild</varname>
|
||
</term>
|
||
<listitem>
|
||
<para>
|
||
Hook executed at the start of the build phase.
|
||
</para>
|
||
</listitem>
|
||
</varlistentry>
|
||
<varlistentry>
|
||
<term>
|
||
<varname>postBuild</varname>
|
||
</term>
|
||
<listitem>
|
||
<para>
|
||
Hook executed at the end of the build phase.
|
||
</para>
|
||
</listitem>
|
||
</varlistentry>
|
||
</variablelist>
|
||
|
||
<para>
|
||
You can set flags for <command>make</command> through the
|
||
<varname>makeFlags</varname> variable.
|
||
</para>
|
||
|
||
<para>
|
||
Before and after running <command>make</command>, the hooks
|
||
<varname>preBuild</varname> and <varname>postBuild</varname> are called,
|
||
respectively.
|
||
</para>
|
||
</section>
|
||
|
||
<section xml:id="ssec-check-phase">
|
||
<title>The check phase</title>
|
||
|
||
<para>
|
||
The check phase checks whether the package was built correctly by running
|
||
its test suite. The default <function>checkPhase</function> calls
|
||
<command>make check</command>, but only if the <varname>doCheck</varname>
|
||
variable is enabled.
|
||
</para>
|
||
|
||
<variablelist>
|
||
<title>Variables controlling the check phase</title>
|
||
<varlistentry>
|
||
<term>
|
||
<varname>doCheck</varname>
|
||
</term>
|
||
<listitem>
|
||
<para>
|
||
Controls whether the check phase is executed. By default it is skipped,
|
||
but if <varname>doCheck</varname> is set to true, the check phase is
|
||
usually executed. Thus you should set
|
||
<programlisting>doCheck = true;</programlisting>
|
||
in the derivation to enable checks. The exception is cross compilation.
|
||
Cross compiled builds never run tests, no matter how
|
||
<varname>doCheck</varname> is set, as the newly-built program won't run
|
||
on the platform used to build it.
|
||
</para>
|
||
</listitem>
|
||
</varlistentry>
|
||
<varlistentry>
|
||
<term>
|
||
<varname>makeFlags</varname> / <varname>makeFlagsArray</varname> / <varname>makefile</varname>
|
||
</term>
|
||
<listitem>
|
||
<para>
|
||
See the build phase for details.
|
||
</para>
|
||
</listitem>
|
||
</varlistentry>
|
||
<varlistentry>
|
||
<term>
|
||
<varname>checkTarget</varname>
|
||
</term>
|
||
<listitem>
|
||
<para>
|
||
The make target that runs the tests. Defaults to
|
||
<literal>check</literal>.
|
||
</para>
|
||
</listitem>
|
||
</varlistentry>
|
||
<varlistentry>
|
||
<term>
|
||
<varname>checkFlags</varname> / <varname>checkFlagsArray</varname>
|
||
</term>
|
||
<listitem>
|
||
<para>
|
||
A list of strings passed as additional flags to <command>make</command>.
|
||
Like <varname>makeFlags</varname> and <varname>makeFlagsArray</varname>,
|
||
but only used by the check phase.
|
||
</para>
|
||
</listitem>
|
||
</varlistentry>
|
||
<varlistentry>
|
||
<term>
|
||
<varname>preCheck</varname>
|
||
</term>
|
||
<listitem>
|
||
<para>
|
||
Hook executed at the start of the check phase.
|
||
</para>
|
||
</listitem>
|
||
</varlistentry>
|
||
<varlistentry>
|
||
<term>
|
||
<varname>postCheck</varname>
|
||
</term>
|
||
<listitem>
|
||
<para>
|
||
Hook executed at the end of the check phase.
|
||
</para>
|
||
</listitem>
|
||
</varlistentry>
|
||
</variablelist>
|
||
</section>
|
||
|
||
<section xml:id="ssec-install-phase">
|
||
<title>The install phase</title>
|
||
|
||
<para>
|
||
The install phase is responsible for installing the package in the Nix
|
||
store under <envar>out</envar>. The default
|
||
<function>installPhase</function> creates the directory
|
||
<literal>$out</literal> and calls <command>make install</command>.
|
||
</para>
|
||
|
||
<variablelist>
|
||
<title>Variables controlling the install phase</title>
|
||
<varlistentry>
|
||
<term>
|
||
<varname>makeFlags</varname> / <varname>makeFlagsArray</varname> / <varname>makefile</varname>
|
||
</term>
|
||
<listitem>
|
||
<para>
|
||
See the build phase for details.
|
||
</para>
|
||
</listitem>
|
||
</varlistentry>
|
||
<varlistentry>
|
||
<term>
|
||
<varname>installTargets</varname>
|
||
</term>
|
||
<listitem>
|
||
<para>
|
||
The make targets that perform the installation. Defaults to
|
||
<literal>install</literal>. Example:
|
||
<programlisting>
|
||
installTargets = "install-bin install-doc";</programlisting>
|
||
</para>
|
||
</listitem>
|
||
</varlistentry>
|
||
<varlistentry>
|
||
<term>
|
||
<varname>installFlags</varname> / <varname>installFlagsArray</varname>
|
||
</term>
|
||
<listitem>
|
||
<para>
|
||
A list of strings passed as additional flags to <command>make</command>.
|
||
Like <varname>makeFlags</varname> and <varname>makeFlagsArray</varname>,
|
||
but only used by the install phase.
|
||
</para>
|
||
</listitem>
|
||
</varlistentry>
|
||
<varlistentry>
|
||
<term>
|
||
<varname>preInstall</varname>
|
||
</term>
|
||
<listitem>
|
||
<para>
|
||
Hook executed at the start of the install phase.
|
||
</para>
|
||
</listitem>
|
||
</varlistentry>
|
||
<varlistentry>
|
||
<term>
|
||
<varname>postInstall</varname>
|
||
</term>
|
||
<listitem>
|
||
<para>
|
||
Hook executed at the end of the install phase.
|
||
</para>
|
||
</listitem>
|
||
</varlistentry>
|
||
</variablelist>
|
||
</section>
|
||
|
||
<section xml:id="ssec-fixup-phase">
|
||
<title>The fixup phase</title>
|
||
|
||
<para>
|
||
The fixup phase performs some (Nix-specific) post-processing actions on the
|
||
files installed under <filename>$out</filename> by the install phase. The
|
||
default <function>fixupPhase</function> does the following:
|
||
<itemizedlist>
|
||
<listitem>
|
||
<para>
|
||
It moves the <filename>man/</filename>, <filename>doc/</filename> and
|
||
<filename>info/</filename> subdirectories of <envar>$out</envar> to
|
||
<filename>share/</filename>.
|
||
</para>
|
||
</listitem>
|
||
<listitem>
|
||
<para>
|
||
It strips libraries and executables of debug information.
|
||
</para>
|
||
</listitem>
|
||
<listitem>
|
||
<para>
|
||
On Linux, it applies the <command>patchelf</command> command to ELF
|
||
executables and libraries to remove unused directories from the
|
||
<literal>RPATH</literal> in order to prevent unnecessary runtime
|
||
dependencies.
|
||
</para>
|
||
</listitem>
|
||
<listitem>
|
||
<para>
|
||
It rewrites the interpreter paths of shell scripts to paths found in
|
||
<envar>PATH</envar>. E.g., <filename>/usr/bin/perl</filename> will be
|
||
rewritten to
|
||
<filename>/nix/store/<replaceable>some-perl</replaceable>/bin/perl</filename>
|
||
found in <envar>PATH</envar>.
|
||
</para>
|
||
</listitem>
|
||
</itemizedlist>
|
||
</para>
|
||
|
||
<variablelist>
|
||
<title>Variables controlling the fixup phase</title>
|
||
<varlistentry>
|
||
<term>
|
||
<varname>dontStrip</varname>
|
||
</term>
|
||
<listitem>
|
||
<para>
|
||
If set, libraries and executables are not stripped. By default, they
|
||
are.
|
||
</para>
|
||
</listitem>
|
||
</varlistentry>
|
||
<varlistentry>
|
||
<term>
|
||
<varname>dontStripHost</varname>
|
||
</term>
|
||
<listitem>
|
||
<para>
|
||
Like <varname>dontStripHost</varname>, but only affects the
|
||
<command>strip</command> command targetting the package's host platform.
|
||
Useful when supporting cross compilation, but otherwise feel free to
|
||
ignore.
|
||
</para>
|
||
</listitem>
|
||
</varlistentry>
|
||
<varlistentry>
|
||
<term>
|
||
<varname>dontStripTarget</varname>
|
||
</term>
|
||
<listitem>
|
||
<para>
|
||
Like <varname>dontStripHost</varname>, but only affects the
|
||
<command>strip</command> command targetting the packages' target
|
||
platform. Useful when supporting cross compilation, but otherwise feel
|
||
free to ignore.
|
||
</para>
|
||
</listitem>
|
||
</varlistentry>
|
||
<varlistentry>
|
||
<term>
|
||
<varname>dontMoveSbin</varname>
|
||
</term>
|
||
<listitem>
|
||
<para>
|
||
If set, files in <filename>$out/sbin</filename> are not moved to
|
||
<filename>$out/bin</filename>. By default, they are.
|
||
</para>
|
||
</listitem>
|
||
</varlistentry>
|
||
<varlistentry>
|
||
<term>
|
||
<varname>stripAllList</varname>
|
||
</term>
|
||
<listitem>
|
||
<para>
|
||
List of directories to search for libraries and executables from which
|
||
<emphasis>all</emphasis> symbols should be stripped. By default, it’s
|
||
empty. Stripping all symbols is risky, since it may remove not just
|
||
debug symbols but also ELF information necessary for normal execution.
|
||
</para>
|
||
</listitem>
|
||
</varlistentry>
|
||
<varlistentry>
|
||
<term>
|
||
<varname>stripAllFlags</varname>
|
||
</term>
|
||
<listitem>
|
||
<para>
|
||
Flags passed to the <command>strip</command> command applied to the
|
||
files in the directories listed in <varname>stripAllList</varname>.
|
||
Defaults to <option>-s</option> (i.e. <option>--strip-all</option>).
|
||
</para>
|
||
</listitem>
|
||
</varlistentry>
|
||
<varlistentry>
|
||
<term>
|
||
<varname>stripDebugList</varname>
|
||
</term>
|
||
<listitem>
|
||
<para>
|
||
List of directories to search for libraries and executables from which
|
||
only debugging-related symbols should be stripped. It defaults to
|
||
<literal>lib bin sbin</literal>.
|
||
</para>
|
||
</listitem>
|
||
</varlistentry>
|
||
<varlistentry>
|
||
<term>
|
||
<varname>stripDebugFlags</varname>
|
||
</term>
|
||
<listitem>
|
||
<para>
|
||
Flags passed to the <command>strip</command> command applied to the
|
||
files in the directories listed in <varname>stripDebugList</varname>.
|
||
Defaults to <option>-S</option> (i.e. <option>--strip-debug</option>).
|
||
</para>
|
||
</listitem>
|
||
</varlistentry>
|
||
<varlistentry>
|
||
<term>
|
||
<varname>dontPatchELF</varname>
|
||
</term>
|
||
<listitem>
|
||
<para>
|
||
If set, the <command>patchelf</command> command is not used to remove
|
||
unnecessary <literal>RPATH</literal> entries. Only applies to Linux.
|
||
</para>
|
||
</listitem>
|
||
</varlistentry>
|
||
<varlistentry>
|
||
<term>
|
||
<varname>dontPatchShebangs</varname>
|
||
</term>
|
||
<listitem>
|
||
<para>
|
||
If set, scripts starting with <literal>#!</literal> do not have their
|
||
interpreter paths rewritten to paths in the Nix store.
|
||
</para>
|
||
</listitem>
|
||
</varlistentry>
|
||
<varlistentry>
|
||
<term>
|
||
<varname>forceShare</varname>
|
||
</term>
|
||
<listitem>
|
||
<para>
|
||
The list of directories that must be moved from
|
||
<filename>$out</filename> to <filename>$out/share</filename>. Defaults
|
||
to <literal>man doc info</literal>.
|
||
</para>
|
||
</listitem>
|
||
</varlistentry>
|
||
<varlistentry>
|
||
<term>
|
||
<varname>setupHook</varname>
|
||
</term>
|
||
<listitem>
|
||
<para>
|
||
A package can export a <link
|
||
linkend="ssec-setup-hooks">setup
|
||
hook</link> by setting this variable. The setup hook, if defined, is
|
||
copied to <filename>$out/nix-support/setup-hook</filename>. Environment
|
||
variables are then substituted in it using
|
||
<function
|
||
linkend="fun-substituteAll">substituteAll</function>.
|
||
</para>
|
||
</listitem>
|
||
</varlistentry>
|
||
<varlistentry>
|
||
<term>
|
||
<varname>preFixup</varname>
|
||
</term>
|
||
<listitem>
|
||
<para>
|
||
Hook executed at the start of the fixup phase.
|
||
</para>
|
||
</listitem>
|
||
</varlistentry>
|
||
<varlistentry>
|
||
<term>
|
||
<varname>postFixup</varname>
|
||
</term>
|
||
<listitem>
|
||
<para>
|
||
Hook executed at the end of the fixup phase.
|
||
</para>
|
||
</listitem>
|
||
</varlistentry>
|
||
<varlistentry xml:id="stdenv-separateDebugInfo">
|
||
<term>
|
||
<varname>separateDebugInfo</varname>
|
||
</term>
|
||
<listitem>
|
||
<para>
|
||
If set to <literal>true</literal>, the standard environment will enable
|
||
debug information in C/C++ builds. After installation, the debug
|
||
information will be separated from the executables and stored in the
|
||
output named <literal>debug</literal>. (This output is enabled
|
||
automatically; you don’t need to set the <varname>outputs</varname>
|
||
attribute explicitly.) To be precise, the debug information is stored in
|
||
<filename><replaceable>debug</replaceable>/lib/debug/.build-id/<replaceable>XX</replaceable>/<replaceable>YYYY…</replaceable></filename>,
|
||
where <replaceable>XXYYYY…</replaceable> is the <replaceable>build
|
||
ID</replaceable> of the binary — a SHA-1 hash of the contents of the
|
||
binary. Debuggers like GDB use the build ID to look up the separated
|
||
debug information.
|
||
</para>
|
||
<para>
|
||
For example, with GDB, you can add
|
||
<programlisting>
|
||
set debug-file-directory ~/.nix-profile/lib/debug
|
||
</programlisting>
|
||
to <filename>~/.gdbinit</filename>. GDB will then be able to find debug
|
||
information installed via <literal>nix-env -i</literal>.
|
||
</para>
|
||
</listitem>
|
||
</varlistentry>
|
||
</variablelist>
|
||
</section>
|
||
|
||
<section xml:id="ssec-installCheck-phase">
|
||
<title>The installCheck phase</title>
|
||
|
||
<para>
|
||
The installCheck phase checks whether the package was installed correctly
|
||
by running its test suite against the installed directories. The default
|
||
<function>installCheck</function> calls <command>make
|
||
installcheck</command>.
|
||
</para>
|
||
|
||
<variablelist>
|
||
<title>Variables controlling the installCheck phase</title>
|
||
<varlistentry>
|
||
<term>
|
||
<varname>doInstallCheck</varname>
|
||
</term>
|
||
<listitem>
|
||
<para>
|
||
Controls whether the installCheck phase is executed. By default it is
|
||
skipped, but if <varname>doInstallCheck</varname> is set to true, the
|
||
installCheck phase is usually executed. Thus you should set
|
||
<programlisting>doInstallCheck = true;</programlisting>
|
||
in the derivation to enable install checks. The exception is cross
|
||
compilation. Cross compiled builds never run tests, no matter how
|
||
<varname>doInstallCheck</varname> is set, as the newly-built program
|
||
won't run on the platform used to build it.
|
||
</para>
|
||
</listitem>
|
||
</varlistentry>
|
||
<varlistentry>
|
||
<term>
|
||
<varname>installCheckTarget</varname>
|
||
</term>
|
||
<listitem>
|
||
<para>
|
||
The make target that runs the install tests. Defaults to
|
||
<literal>installcheck</literal>.
|
||
</para>
|
||
</listitem>
|
||
</varlistentry>
|
||
<varlistentry>
|
||
<term>
|
||
<varname>installCheckFlags</varname> / <varname>installCheckFlagsArray</varname>
|
||
</term>
|
||
<listitem>
|
||
<para>
|
||
A list of strings passed as additional flags to <command>make</command>.
|
||
Like <varname>makeFlags</varname> and <varname>makeFlagsArray</varname>,
|
||
but only used by the installCheck phase.
|
||
</para>
|
||
</listitem>
|
||
</varlistentry>
|
||
<varlistentry>
|
||
<term>
|
||
<varname>installCheckInputs</varname>
|
||
</term>
|
||
<listitem>
|
||
<para>
|
||
A list of dependencies used by the phase. This gets included in
|
||
<varname>buildInputs</varname> when <varname>doInstallCheck</varname> is
|
||
set.
|
||
</para>
|
||
</listitem>
|
||
</varlistentry>
|
||
<varlistentry>
|
||
<term>
|
||
<varname>preInstallCheck</varname>
|
||
</term>
|
||
<listitem>
|
||
<para>
|
||
Hook executed at the start of the installCheck phase.
|
||
</para>
|
||
</listitem>
|
||
</varlistentry>
|
||
<varlistentry>
|
||
<term>
|
||
<varname>postInstallCheck</varname>
|
||
</term>
|
||
<listitem>
|
||
<para>
|
||
Hook executed at the end of the installCheck phase.
|
||
</para>
|
||
</listitem>
|
||
</varlistentry>
|
||
</variablelist>
|
||
</section>
|
||
|
||
<section xml:id="ssec-distribution-phase">
|
||
<title>The distribution phase</title>
|
||
|
||
<para>
|
||
The distribution phase is intended to produce a source distribution of the
|
||
package. The default <function>distPhase</function> first calls
|
||
<command>make dist</command>, then it copies the resulting source tarballs
|
||
to <filename>$out/tarballs/</filename>. This phase is only executed if the
|
||
attribute <varname>doDist</varname> is set.
|
||
</para>
|
||
|
||
<variablelist>
|
||
<title>Variables controlling the distribution phase</title>
|
||
<varlistentry>
|
||
<term>
|
||
<varname>distTarget</varname>
|
||
</term>
|
||
<listitem>
|
||
<para>
|
||
The make target that produces the distribution. Defaults to
|
||
<literal>dist</literal>.
|
||
</para>
|
||
</listitem>
|
||
</varlistentry>
|
||
<varlistentry>
|
||
<term>
|
||
<varname>distFlags</varname> / <varname>distFlagsArray</varname>
|
||
</term>
|
||
<listitem>
|
||
<para>
|
||
Additional flags passed to <command>make</command>.
|
||
</para>
|
||
</listitem>
|
||
</varlistentry>
|
||
<varlistentry>
|
||
<term>
|
||
<varname>tarballs</varname>
|
||
</term>
|
||
<listitem>
|
||
<para>
|
||
The names of the source distribution files to be copied to
|
||
<filename>$out/tarballs/</filename>. It can contain shell wildcards. The
|
||
default is <filename>*.tar.gz</filename>.
|
||
</para>
|
||
</listitem>
|
||
</varlistentry>
|
||
<varlistentry>
|
||
<term>
|
||
<varname>dontCopyDist</varname>
|
||
</term>
|
||
<listitem>
|
||
<para>
|
||
If set, no files are copied to <filename>$out/tarballs/</filename>.
|
||
</para>
|
||
</listitem>
|
||
</varlistentry>
|
||
<varlistentry>
|
||
<term>
|
||
<varname>preDist</varname>
|
||
</term>
|
||
<listitem>
|
||
<para>
|
||
Hook executed at the start of the distribution phase.
|
||
</para>
|
||
</listitem>
|
||
</varlistentry>
|
||
<varlistentry>
|
||
<term>
|
||
<varname>postDist</varname>
|
||
</term>
|
||
<listitem>
|
||
<para>
|
||
Hook executed at the end of the distribution phase.
|
||
</para>
|
||
</listitem>
|
||
</varlistentry>
|
||
</variablelist>
|
||
</section>
|
||
</section>
|
||
<section xml:id="ssec-stdenv-functions">
|
||
<title>Shell functions</title>
|
||
|
||
<para>
|
||
The standard environment provides a number of useful functions.
|
||
</para>
|
||
|
||
<variablelist>
|
||
<varlistentry xml:id='fun-makeWrapper'>
|
||
<term>
|
||
<function>makeWrapper</function> <replaceable>executable</replaceable> <replaceable>wrapperfile</replaceable> <replaceable>args</replaceable>
|
||
</term>
|
||
<listitem>
|
||
<para>
|
||
Constructs a wrapper for a program with various possible arguments. For
|
||
example:
|
||
<programlisting>
|
||
# adds `FOOBAR=baz` to `$out/bin/foo`’s environment
|
||
makeWrapper $out/bin/foo $wrapperfile --set FOOBAR baz
|
||
|
||
# prefixes the binary paths of `hello` and `git`
|
||
# Be advised that paths often should be patched in directly
|
||
# (via string replacements or in `configurePhase`).
|
||
makeWrapper $out/bin/foo $wrapperfile --prefix PATH : ${lib.makeBinPath [ hello git ]}
|
||
</programlisting>
|
||
There’s many more kinds of arguments, they are documented in
|
||
<literal>nixpkgs/pkgs/build-support/setup-hooks/make-wrapper.sh</literal>.
|
||
</para>
|
||
<para>
|
||
<literal>wrapProgram</literal> is a convenience function you probably
|
||
want to use most of the time.
|
||
</para>
|
||
</listitem>
|
||
</varlistentry>
|
||
<varlistentry xml:id='fun-substitute'>
|
||
<term>
|
||
<function>substitute</function> <replaceable>infile</replaceable> <replaceable>outfile</replaceable> <replaceable>subs</replaceable>
|
||
</term>
|
||
<listitem>
|
||
<para>
|
||
Performs string substitution on the contents of
|
||
<replaceable>infile</replaceable>, writing the result to
|
||
<replaceable>outfile</replaceable>. The substitutions in
|
||
<replaceable>subs</replaceable> are of the following form:
|
||
<variablelist>
|
||
<varlistentry>
|
||
<term>
|
||
<option>--replace</option> <replaceable>s1</replaceable> <replaceable>s2</replaceable>
|
||
</term>
|
||
<listitem>
|
||
<para>
|
||
Replace every occurrence of the string <replaceable>s1</replaceable>
|
||
by <replaceable>s2</replaceable>.
|
||
</para>
|
||
</listitem>
|
||
</varlistentry>
|
||
<varlistentry>
|
||
<term>
|
||
<option>--subst-var</option> <replaceable>varName</replaceable>
|
||
</term>
|
||
<listitem>
|
||
<para>
|
||
Replace every occurrence of
|
||
<literal>@<replaceable>varName</replaceable>@</literal> by the
|
||
contents of the environment variable
|
||
<replaceable>varName</replaceable>. This is useful for generating
|
||
files from templates, using
|
||
<literal>@<replaceable>...</replaceable>@</literal> in the template
|
||
as placeholders.
|
||
</para>
|
||
</listitem>
|
||
</varlistentry>
|
||
<varlistentry>
|
||
<term>
|
||
<option>--subst-var-by</option> <replaceable>varName</replaceable> <replaceable>s</replaceable>
|
||
</term>
|
||
<listitem>
|
||
<para>
|
||
Replace every occurrence of
|
||
<literal>@<replaceable>varName</replaceable>@</literal> by the string
|
||
<replaceable>s</replaceable>.
|
||
</para>
|
||
</listitem>
|
||
</varlistentry>
|
||
</variablelist>
|
||
</para>
|
||
<para>
|
||
Example:
|
||
<programlisting>
|
||
substitute ./foo.in ./foo.out \
|
||
--replace /usr/bin/bar $bar/bin/bar \
|
||
--replace "a string containing spaces" "some other text" \
|
||
--subst-var someVar
|
||
</programlisting>
|
||
</para>
|
||
<para>
|
||
<function>substitute</function> is implemented using the
|
||
<command
|
||
xlink:href="http://replace.richardlloyd.org.uk/">replace</command>
|
||
command. Unlike with the <command>sed</command> command, you don’t have
|
||
to worry about escaping special characters. It supports performing
|
||
substitutions on binary files (such as executables), though there
|
||
you’ll probably want to make sure that the replacement string is as
|
||
long as the replaced string.
|
||
</para>
|
||
</listitem>
|
||
</varlistentry>
|
||
<varlistentry xml:id='fun-substituteInPlace'>
|
||
<term>
|
||
<function>substituteInPlace</function> <replaceable>file</replaceable> <replaceable>subs</replaceable>
|
||
</term>
|
||
<listitem>
|
||
<para>
|
||
Like <function>substitute</function>, but performs the substitutions in
|
||
place on the file <replaceable>file</replaceable>.
|
||
</para>
|
||
</listitem>
|
||
</varlistentry>
|
||
<varlistentry xml:id='fun-substituteAll'>
|
||
<term>
|
||
<function>substituteAll</function> <replaceable>infile</replaceable> <replaceable>outfile</replaceable>
|
||
</term>
|
||
<listitem>
|
||
<para>
|
||
Replaces every occurrence of
|
||
<literal>@<replaceable>varName</replaceable>@</literal>, where
|
||
<replaceable>varName</replaceable> is any environment variable, in
|
||
<replaceable>infile</replaceable>, writing the result to
|
||
<replaceable>outfile</replaceable>. For instance, if
|
||
<replaceable>infile</replaceable> has the contents
|
||
<programlisting>
|
||
#! @bash@/bin/sh
|
||
PATH=@coreutils@/bin
|
||
echo @foo@
|
||
</programlisting>
|
||
and the environment contains
|
||
<literal>bash=/nix/store/bmwp0q28cf21...-bash-3.2-p39</literal> and
|
||
<literal>coreutils=/nix/store/68afga4khv0w...-coreutils-6.12</literal>,
|
||
but does not contain the variable <varname>foo</varname>, then the output
|
||
will be
|
||
<programlisting>
|
||
#! /nix/store/bmwp0q28cf21...-bash-3.2-p39/bin/sh
|
||
PATH=/nix/store/68afga4khv0w...-coreutils-6.12/bin
|
||
echo @foo@
|
||
</programlisting>
|
||
That is, no substitution is performed for undefined variables.
|
||
</para>
|
||
<para>
|
||
Environment variables that start with an uppercase letter or an
|
||
underscore are filtered out, to prevent global variables (like
|
||
<literal>HOME</literal>) or private variables (like
|
||
<literal>__ETC_PROFILE_DONE</literal>) from accidentally getting
|
||
substituted. The variables also have to be valid bash “names”, as
|
||
defined in the bash manpage (alphanumeric or <literal>_</literal>, must
|
||
not start with a number).
|
||
</para>
|
||
</listitem>
|
||
</varlistentry>
|
||
<varlistentry xml:id='fun-substituteAllInPlace'>
|
||
<term>
|
||
<function>substituteAllInPlace</function> <replaceable>file</replaceable>
|
||
</term>
|
||
<listitem>
|
||
<para>
|
||
Like <function>substituteAll</function>, but performs the substitutions
|
||
in place on the file <replaceable>file</replaceable>.
|
||
</para>
|
||
</listitem>
|
||
</varlistentry>
|
||
<varlistentry xml:id='fun-stripHash'>
|
||
<term>
|
||
<function>stripHash</function> <replaceable>path</replaceable>
|
||
</term>
|
||
<listitem>
|
||
<para>
|
||
Strips the directory and hash part of a store path, outputting the name
|
||
part to <literal>stdout</literal>. For example:
|
||
<programlisting>
|
||
# prints coreutils-8.24
|
||
stripHash "/nix/store/9s9r019176g7cvn2nvcw41gsp862y6b4-coreutils-8.24"
|
||
</programlisting>
|
||
If you wish to store the result in another variable, then the following
|
||
idiom may be useful:
|
||
<programlisting>
|
||
name="/nix/store/9s9r019176g7cvn2nvcw41gsp862y6b4-coreutils-8.24"
|
||
someVar=$(stripHash $name)
|
||
</programlisting>
|
||
</para>
|
||
</listitem>
|
||
</varlistentry>
|
||
<varlistentry xml:id='fun-wrapProgram'>
|
||
<term>
|
||
<function>wrapProgram</function> <replaceable>executable</replaceable> <replaceable>makeWrapperArgs</replaceable>
|
||
</term>
|
||
<listitem>
|
||
<para>
|
||
Convenience function for <literal>makeWrapper</literal> that
|
||
automatically creates a sane wrapper file It takes all the same arguments
|
||
as <literal>makeWrapper</literal>, except for <literal>--argv0</literal>.
|
||
</para>
|
||
<para>
|
||
It cannot be applied multiple times, since it will overwrite the wrapper
|
||
file.
|
||
</para>
|
||
</listitem>
|
||
</varlistentry>
|
||
</variablelist>
|
||
</section>
|
||
<section xml:id="ssec-setup-hooks">
|
||
<title>Package setup hooks</title>
|
||
|
||
<para>
|
||
Nix itself considers a build-time dependency merely something that should
|
||
previously be built and accessible at build time—packages themselves are
|
||
on their own to perform any additional setup. In most cases, that is fine,
|
||
and the downstream derivation can deal with it's own dependencies. But for a
|
||
few common tasks, that would result in almost every package doing the same
|
||
sort of setup work---depending not on the package itself, but entirely on
|
||
which dependencies were used.
|
||
</para>
|
||
|
||
<para>
|
||
In order to alleviate this burden, the <firstterm>setup
|
||
hook></firstterm>mechanism was written, where any package can include a
|
||
shell script that [by convention rather than enforcement by Nix], any
|
||
downstream reverse-dependency will source as part of its build process. That
|
||
allows the downstream dependency to merely specify its dependencies, and
|
||
lets those dependencies effectively initialize themselves. No boilerplate
|
||
mirroring the list of dependencies is needed.
|
||
</para>
|
||
|
||
<para>
|
||
The Setup hook mechanism is a bit of a sledgehammer though: a powerful
|
||
feature with a broad and indiscriminate area of effect. The combination of
|
||
its power and implicit use may be expedient, but isn't without costs. Nix
|
||
itself is unchanged, but the spirit of adding dependencies being effect-free
|
||
is violated even if the letter isn't. For example, if a derivation path is
|
||
mentioned more than once, Nix itself doesn't care and simply makes sure the
|
||
dependency derivation is already built just the same—depending is just
|
||
needing something to exist, and needing is idempotent. However, a dependency
|
||
specified twice will have its setup hook run twice, and that could easily
|
||
change the build environment (though a well-written setup hook will
|
||
therefore strive to be idempotent so this is in fact not observable). More
|
||
broadly, setup hooks are anti-modular in that multiple dependencies, whether
|
||
the same or different, should not interfere and yet their setup hooks may
|
||
well do so.
|
||
</para>
|
||
|
||
<para>
|
||
The most typical use of the setup hook is actually to add other hooks which
|
||
are then run (i.e. after all the setup hooks) on each dependency. For
|
||
example, the C compiler wrapper's setup hook feeds itself flags for each
|
||
dependency that contains relevant libaries and headers. This is done by
|
||
defining a bash function, and appending its name to one of
|
||
<envar>envBuildBuildHooks</envar>`, <envar>envBuildHostHooks</envar>`,
|
||
<envar>envBuildTargetHooks</envar>`, <envar>envHostHostHooks</envar>`,
|
||
<envar>envHostTargetHooks</envar>`, or <envar>envTargetTargetHooks</envar>`.
|
||
These 6 bash variables correspond to the 6 sorts of dependencies by platform
|
||
(there's 12 total but we ignore the propagated/non-propagated axis).
|
||
</para>
|
||
|
||
<para>
|
||
Packages adding a hook should not hard code a specific hook, but rather
|
||
choose a variable <emphasis>relative</emphasis> to how they are included.
|
||
Returning to the C compiler wrapper example, if it itself is an
|
||
<literal>n</literal> dependency, then it only wants to accumulate flags from
|
||
<literal>n + 1</literal> dependencies, as only those ones match the
|
||
compiler's target platform. The <envar>hostOffset</envar> variable is
|
||
defined with the current dependency's host offset
|
||
<envar>targetOffset</envar> with its target offset, before it's setup hook
|
||
is sourced. Additionally, since most environment hooks don't care about the
|
||
target platform, That means the setup hook can append to the right bash
|
||
array by doing something like
|
||
<programlisting language="bash">
|
||
addEnvHooks "$hostOffset" myBashFunction
|
||
</programlisting>
|
||
</para>
|
||
|
||
<para>
|
||
The <emphasis>existence</emphasis> of setups hooks has long been documented
|
||
and packages inside Nixpkgs are free to use these mechanism. Other packages,
|
||
however, should not rely on these mechanisms not changing between Nixpkgs
|
||
versions. Because of the existing issues with this system, there's little
|
||
benefit from mandating it be stable for any period of time.
|
||
</para>
|
||
|
||
<para>
|
||
Here are some packages that provide a setup hook. Since the mechanism is
|
||
modular, this probably isn't an exhaustive list. Then again, since the
|
||
mechanism is only to be used as a last resort, it might be.
|
||
<variablelist>
|
||
<varlistentry>
|
||
<term>
|
||
Bintools Wrapper
|
||
</term>
|
||
<listitem>
|
||
<para>
|
||
Bintools Wrapper wraps the binary utilities for a bunch of miscellaneous
|
||
purposes. These are GNU Binutils when targetting Linux, and a mix of
|
||
cctools and GNU binutils for Darwin. [The "Bintools" name is supposed to
|
||
be a compromise between "Binutils" and "cctools" not denoting any
|
||
specific implementation.] Specifically, the underlying bintools package,
|
||
and a C standard library (glibc or Darwin's libSystem, just for the
|
||
dynamic loader) are all fed in, and dependency finding, hardening (see
|
||
below), and purity checks for each are handled by Bintools Wrapper.
|
||
Packages typically depend on CC Wrapper, which in turn (at run time)
|
||
depends on Bintools Wrapper.
|
||
</para>
|
||
<para>
|
||
Bintools Wrapper was only just recently split off from CC Wrapper, so
|
||
the division of labor is still being worked out. For example, it
|
||
shouldn't care about about the C standard library, but just take a
|
||
derivation with the dynamic loader (which happens to be the glibc on
|
||
linux). Dependency finding however is a task both wrappers will continue
|
||
to need to share, and probably the most important to understand. It is
|
||
currently accomplished by collecting directories of host-platform
|
||
dependencies (i.e. <varname>buildInputs</varname> and
|
||
<varname>nativeBuildInputs</varname>) in environment variables. Bintools
|
||
Wrapper's setup hook causes any <filename>lib</filename> and
|
||
<filename>lib64</filename> subdirectories to be added to
|
||
<envar>NIX_LDFLAGS</envar>. Since CC Wrapper and Bintools Wrapper use
|
||
the same strategy, most of the Bintools Wrapper code is sparsely
|
||
commented and refers to CC Wrapper. But CC Wrapper's code, by contrast,
|
||
has quite lengthy comments. Bintools Wrapper merely cites those, rather
|
||
than repeating them, to avoid falling out of sync.
|
||
</para>
|
||
<para>
|
||
A final task of the setup hook is defining a number of standard
|
||
environment variables to tell build systems which executables full-fill
|
||
which purpose. They are defined to just be the base name of the tools,
|
||
under the assumption that Bintools Wrapper's binaries will be on the
|
||
path. Firstly, this helps poorly-written packages, e.g. ones that look
|
||
for just <command>gcc</command> when <envar>CC</envar> isn't defined yet
|
||
<command>clang</command> is to be used. Secondly, this helps packages
|
||
not get confused when cross-compiling, in which case multiple Bintools
|
||
Wrappers may simultaneously be in use.
|
||
<footnote xml:id="footnote-stdenv-per-platform-wrapper">
|
||
<para>
|
||
Each wrapper targets a single platform, so if binaries for multiple
|
||
platforms are needed, the underlying binaries must be wrapped multiple
|
||
times. As this is a property of the wrapper itself, the multiple
|
||
wrappings are needed whether or not the same underlying binaries can
|
||
target multiple platforms.
|
||
</para>
|
||
</footnote>
|
||
<envar>BUILD_</envar>- and <envar>TARGET_</envar>-prefixed versions of
|
||
the normal environment variable are defined for the additional Bintools
|
||
Wrappers, properly disambiguating them.
|
||
</para>
|
||
<para>
|
||
A problem with this final task is that Bintools Wrapper is honest and
|
||
defines <envar>LD</envar> as <command>ld</command>. Most packages,
|
||
however, firstly use the C compiler for linking, secondly use
|
||
<envar>LD</envar> anyways, defining it as the C compiler, and thirdly,
|
||
only so define <envar>LD</envar> when it is undefined as a fallback.
|
||
This triple-threat means Bintools Wrapper will break those packages, as
|
||
LD is already defined as the actual linker which the package won't
|
||
override yet doesn't want to use. The workaround is to define, just for
|
||
the problematic package, <envar>LD</envar> as the C compiler. A good way
|
||
to do this would be <command>preConfigure = "LD=$CC"</command>.
|
||
</para>
|
||
</listitem>
|
||
</varlistentry>
|
||
<varlistentry>
|
||
<term>
|
||
CC Wrapper
|
||
</term>
|
||
<listitem>
|
||
<para>
|
||
CC Wrapper wraps a C toolchain for a bunch of miscellaneous purposes.
|
||
Specifically, a C compiler (GCC or Clang), wrapped binary tools, and a C
|
||
standard library (glibc or Darwin's libSystem, just for the dynamic
|
||
loader) are all fed in, and dependency finding, hardening (see below),
|
||
and purity checks for each are handled by CC Wrapper. Packages typically
|
||
depend on CC Wrapper, which in turn (at run time) depends on Bintools
|
||
Wrapper.
|
||
</para>
|
||
<para>
|
||
Dependency finding is undoubtedly the main task of CC Wrapper. This
|
||
works just like Bintools Wrapper, except that any
|
||
<filename>include</filename> subdirectory of any relevant dependency is
|
||
added to <envar>NIX_CFLAGS_COMPILE</envar>. The setup hook itself
|
||
contains some lengthy comments describing the exact convoluted mechanism
|
||
by which this is accomplished.
|
||
</para>
|
||
<para>
|
||
CC Wrapper also like Bintools Wrapper defines standard environment
|
||
variables with the names of the tools it wraps, for the same reasons
|
||
described above. Importantly, while it includes a <command>cc</command>
|
||
symlink to the c compiler for portability, the <envar>CC</envar> will be
|
||
defined using the compiler's "real name" (i.e. <command>gcc</command> or
|
||
<command>clang</command>). This helps lousy build systems that inspect
|
||
on the name of the compiler rather than run it.
|
||
</para>
|
||
</listitem>
|
||
</varlistentry>
|
||
<varlistentry>
|
||
<term>
|
||
Perl
|
||
</term>
|
||
<listitem>
|
||
<para>
|
||
Adds the <filename>lib/site_perl</filename> subdirectory of each build
|
||
input to the <envar>PERL5LIB</envar> environment variable. For instance,
|
||
if <varname>buildInputs</varname> contains Perl, then the
|
||
<filename>lib/site_perl</filename> subdirectory of each input is added
|
||
to the <envar>PERL5LIB</envar> environment variable.
|
||
</para>
|
||
</listitem>
|
||
</varlistentry>
|
||
<varlistentry>
|
||
<term>
|
||
Python
|
||
</term>
|
||
<listitem>
|
||
<para>
|
||
Adds the <filename>lib/${python.libPrefix}/site-packages</filename>
|
||
subdirectory of each build input to the <envar>PYTHONPATH</envar>
|
||
environment variable.
|
||
</para>
|
||
</listitem>
|
||
</varlistentry>
|
||
<varlistentry>
|
||
<term>
|
||
pkg-config
|
||
</term>
|
||
<listitem>
|
||
<para>
|
||
Adds the <filename>lib/pkgconfig</filename> and
|
||
<filename>share/pkgconfig</filename> subdirectories of each build input
|
||
to the <envar>PKG_CONFIG_PATH</envar> environment variable.
|
||
</para>
|
||
</listitem>
|
||
</varlistentry>
|
||
<varlistentry>
|
||
<term>
|
||
Automake
|
||
</term>
|
||
<listitem>
|
||
<para>
|
||
Adds the <filename>share/aclocal</filename> subdirectory of each build
|
||
input to the <envar>ACLOCAL_PATH</envar> environment variable.
|
||
</para>
|
||
</listitem>
|
||
</varlistentry>
|
||
<varlistentry>
|
||
<term>
|
||
Autoconf
|
||
</term>
|
||
<listitem>
|
||
<para>
|
||
The <varname>autoreconfHook</varname> derivation adds
|
||
<varname>autoreconfPhase</varname>, which runs autoreconf, libtoolize
|
||
and automake, essentially preparing the configure script in
|
||
autotools-based builds.
|
||
</para>
|
||
</listitem>
|
||
</varlistentry>
|
||
<varlistentry>
|
||
<term>
|
||
libxml2
|
||
</term>
|
||
<listitem>
|
||
<para>
|
||
Adds every file named <filename>catalog.xml</filename> found under the
|
||
<filename>xml/dtd</filename> and <filename>xml/xsl</filename>
|
||
subdirectories of each build input to the
|
||
<envar>XML_CATALOG_FILES</envar> environment variable.
|
||
</para>
|
||
</listitem>
|
||
</varlistentry>
|
||
<varlistentry>
|
||
<term>
|
||
teTeX / TeX Live
|
||
</term>
|
||
<listitem>
|
||
<para>
|
||
Adds the <filename>share/texmf-nix</filename> subdirectory of each build
|
||
input to the <envar>TEXINPUTS</envar> environment variable.
|
||
</para>
|
||
</listitem>
|
||
</varlistentry>
|
||
<varlistentry>
|
||
<term>
|
||
Qt 4
|
||
</term>
|
||
<listitem>
|
||
<para>
|
||
Sets the <envar>QTDIR</envar> environment variable to Qt’s path.
|
||
</para>
|
||
</listitem>
|
||
</varlistentry>
|
||
<varlistentry>
|
||
<term>
|
||
gdk-pixbuf
|
||
</term>
|
||
<listitem>
|
||
<para>
|
||
Exports <envar>GDK_PIXBUF_MODULE_FILE</envar> environment variable the
|
||
the builder. Add librsvg package to <varname>buildInputs</varname> to
|
||
get svg support.
|
||
</para>
|
||
</listitem>
|
||
</varlistentry>
|
||
<varlistentry>
|
||
<term>
|
||
GHC
|
||
</term>
|
||
<listitem>
|
||
<para>
|
||
Creates a temporary package database and registers every Haskell build
|
||
input in it (TODO: how?).
|
||
</para>
|
||
</listitem>
|
||
</varlistentry>
|
||
<varlistentry>
|
||
<term>
|
||
GStreamer
|
||
</term>
|
||
<listitem>
|
||
<para>
|
||
Adds the GStreamer plugins subdirectory of each build input to the
|
||
<envar>GST_PLUGIN_SYSTEM_PATH_1_0</envar> or
|
||
<envar>GST_PLUGIN_SYSTEM_PATH</envar> environment variable.
|
||
</para>
|
||
</listitem>
|
||
</varlistentry>
|
||
<varlistentry>
|
||
<term>
|
||
paxctl
|
||
</term>
|
||
<listitem>
|
||
<para>
|
||
Defines the <varname>paxmark</varname> helper for setting per-executable
|
||
PaX flags on Linux (where it is available by default; on all other
|
||
platforms, <varname>paxmark</varname> is a no-op). For example, to
|
||
disable secure memory protections on the executable
|
||
<replaceable>foo</replaceable>:
|
||
<programlisting>
|
||
postFixup = ''
|
||
paxmark m $out/bin/<replaceable>foo</replaceable>
|
||
'';
|
||
</programlisting>
|
||
The <literal>m</literal> flag is the most common flag and is typically
|
||
required for applications that employ JIT compilation or otherwise need
|
||
to execute code generated at run-time. Disabling PaX protections should
|
||
be considered a last resort: if possible, problematic features should be
|
||
disabled or patched to work with PaX.
|
||
</para>
|
||
</listitem>
|
||
</varlistentry>
|
||
<varlistentry>
|
||
<term>
|
||
autoPatchelfHook
|
||
</term>
|
||
<listitem>
|
||
<para>
|
||
This is a special setup hook which helps in packaging proprietary
|
||
software in that it automatically tries to find missing shared library
|
||
dependencies of ELF files. All packages within the
|
||
<envar>runtimeDependencies</envar> environment variable are
|
||
unconditionally added to executables, which is useful for programs that
|
||
use <citerefentry>
|
||
<refentrytitle>dlopen</refentrytitle>
|
||
<manvolnum>3</manvolnum> </citerefentry> to load libraries at runtime.
|
||
</para>
|
||
</listitem>
|
||
</varlistentry>
|
||
</variablelist>
|
||
</para>
|
||
</section>
|
||
<section xml:id="sec-purity-in-nixpkgs">
|
||
<title>Purity in Nixpkgs</title>
|
||
|
||
<para>
|
||
[measures taken to prevent dependencies on packages outside the store, and
|
||
what you can do to prevent them]
|
||
</para>
|
||
|
||
<para>
|
||
GCC doesn't search in locations such as <filename>/usr/include</filename>.
|
||
In fact, attempts to add such directories through the <option>-I</option>
|
||
flag are filtered out. Likewise, the linker (from GNU binutils) doesn't
|
||
search in standard locations such as <filename>/usr/lib</filename>. Programs
|
||
built on Linux are linked against a GNU C Library that likewise doesn't
|
||
search in the default system locations.
|
||
</para>
|
||
</section>
|
||
<section xml:id="sec-hardening-in-nixpkgs">
|
||
<title>Hardening in Nixpkgs</title>
|
||
|
||
<para>
|
||
There are flags available to harden packages at compile or link-time. These
|
||
can be toggled using the <varname>stdenv.mkDerivation</varname> parameters
|
||
<varname>hardeningDisable</varname> and <varname>hardeningEnable</varname>.
|
||
</para>
|
||
|
||
<para>
|
||
Both parameters take a list of flags as strings. The special
|
||
<varname>"all"</varname> flag can be passed to
|
||
<varname>hardeningDisable</varname> to turn off all hardening. These flags
|
||
can also be used as environment variables for testing or development
|
||
purposes.
|
||
</para>
|
||
|
||
<para>
|
||
The following flags are enabled by default and might require disabling with
|
||
<varname>hardeningDisable</varname> if the program to package is
|
||
incompatible.
|
||
</para>
|
||
|
||
<variablelist>
|
||
<varlistentry>
|
||
<term>
|
||
<varname>format</varname>
|
||
</term>
|
||
<listitem>
|
||
<para>
|
||
Adds the <option>-Wformat -Wformat-security
|
||
-Werror=format-security</option> compiler options. At present, this warns
|
||
about calls to <varname>printf</varname> and <varname>scanf</varname>
|
||
functions where the format string is not a string literal and there are
|
||
no format arguments, as in <literal>printf(foo);</literal>. This may be a
|
||
security hole if the format string came from untrusted input and contains
|
||
<literal>%n</literal>.
|
||
</para>
|
||
<para>
|
||
This needs to be turned off or fixed for errors similar to:
|
||
</para>
|
||
<programlisting>
|
||
/tmp/nix-build-zynaddsubfx-2.5.2.drv-0/zynaddsubfx-2.5.2/src/UI/guimain.cpp:571:28: error: format not a string literal and no format arguments [-Werror=format-security]
|
||
printf(help_message);
|
||
^
|
||
cc1plus: some warnings being treated as errors
|
||
</programlisting>
|
||
</listitem>
|
||
</varlistentry>
|
||
<varlistentry>
|
||
<term>
|
||
<varname>stackprotector</varname>
|
||
</term>
|
||
<listitem>
|
||
<para>
|
||
Adds the <option>-fstack-protector-strong --param
|
||
ssp-buffer-size=4</option> compiler options. This adds safety checks
|
||
against stack overwrites rendering many potential code injection attacks
|
||
into aborting situations. In the best case this turns code injection
|
||
vulnerabilities into denial of service or into non-issues (depending on
|
||
the application).
|
||
</para>
|
||
<para>
|
||
This needs to be turned off or fixed for errors similar to:
|
||
</para>
|
||
<programlisting>
|
||
bin/blib.a(bios_console.o): In function `bios_handle_cup':
|
||
/tmp/nix-build-ipxe-20141124-5cbdc41.drv-0/ipxe-5cbdc41/src/arch/i386/firmware/pcbios/bios_console.c:86: undefined reference to `__stack_chk_fail'
|
||
</programlisting>
|
||
</listitem>
|
||
</varlistentry>
|
||
<varlistentry>
|
||
<term>
|
||
<varname>fortify</varname>
|
||
</term>
|
||
<listitem>
|
||
<para>
|
||
Adds the <option>-O2 -D_FORTIFY_SOURCE=2</option> compiler options.
|
||
During code generation the compiler knows a great deal of information
|
||
about buffer sizes (where possible), and attempts to replace insecure
|
||
unlimited length buffer function calls with length-limited ones. This is
|
||
especially useful for old, crufty code. Additionally, format strings in
|
||
writable memory that contain '%n' are blocked. If an application depends
|
||
on such a format string, it will need to be worked around.
|
||
</para>
|
||
<para>
|
||
Additionally, some warnings are enabled which might trigger build
|
||
failures if compiler warnings are treated as errors in the package build.
|
||
In this case, set <option>NIX_CFLAGS_COMPILE</option> to
|
||
<option>-Wno-error=warning-type</option>.
|
||
</para>
|
||
<para>
|
||
This needs to be turned off or fixed for errors similar to:
|
||
</para>
|
||
<programlisting>
|
||
malloc.c:404:15: error: return type is an incomplete type
|
||
malloc.c:410:19: error: storage size of 'ms' isn't known
|
||
</programlisting>
|
||
<programlisting>
|
||
strdup.h:22:1: error: expected identifier or '(' before '__extension__'
|
||
</programlisting>
|
||
<programlisting>
|
||
strsep.c:65:23: error: register name not specified for 'delim'
|
||
</programlisting>
|
||
<programlisting>
|
||
installwatch.c:3751:5: error: conflicting types for '__open_2'
|
||
</programlisting>
|
||
<programlisting>
|
||
fcntl2.h:50:4: error: call to '__open_missing_mode' declared with attribute error: open with O_CREAT or O_TMPFILE in second argument needs 3 arguments
|
||
</programlisting>
|
||
</listitem>
|
||
</varlistentry>
|
||
<varlistentry>
|
||
<term>
|
||
<varname>pic</varname>
|
||
</term>
|
||
<listitem>
|
||
<para>
|
||
Adds the <option>-fPIC</option> compiler options. This options adds
|
||
support for position independent code in shared libraries and thus making
|
||
ASLR possible.
|
||
</para>
|
||
<para>
|
||
Most notably, the Linux kernel, kernel modules and other code not running
|
||
in an operating system environment like boot loaders won't build with PIC
|
||
enabled. The compiler will is most cases complain that PIC is not
|
||
supported for a specific build.
|
||
</para>
|
||
<para>
|
||
This needs to be turned off or fixed for assembler errors similar to:
|
||
</para>
|
||
<programlisting>
|
||
ccbLfRgg.s: Assembler messages:
|
||
ccbLfRgg.s:33: Error: missing or invalid displacement expression `private_key_len@GOTOFF'
|
||
</programlisting>
|
||
</listitem>
|
||
</varlistentry>
|
||
<varlistentry>
|
||
<term>
|
||
<varname>strictoverflow</varname>
|
||
</term>
|
||
<listitem>
|
||
<para>
|
||
Signed integer overflow is undefined behaviour according to the C
|
||
standard. If it happens, it is an error in the program as it should check
|
||
for overflow before it can happen, not afterwards. GCC provides built-in
|
||
functions to perform arithmetic with overflow checking, which are correct
|
||
and faster than any custom implementation. As a workaround, the option
|
||
<option>-fno-strict-overflow</option> makes gcc behave as if signed
|
||
integer overflows were defined.
|
||
</para>
|
||
<para>
|
||
This flag should not trigger any build or runtime errors.
|
||
</para>
|
||
</listitem>
|
||
</varlistentry>
|
||
<varlistentry>
|
||
<term>
|
||
<varname>relro</varname>
|
||
</term>
|
||
<listitem>
|
||
<para>
|
||
Adds the <option>-z relro</option> linker option. During program load,
|
||
several ELF memory sections need to be written to by the linker, but can
|
||
be turned read-only before turning over control to the program. This
|
||
prevents some GOT (and .dtors) overwrite attacks, but at least the part
|
||
of the GOT used by the dynamic linker (.got.plt) is still vulnerable.
|
||
</para>
|
||
<para>
|
||
This flag can break dynamic shared object loading. For instance, the
|
||
module systems of Xorg and OpenCV are incompatible with this flag. In
|
||
almost all cases the <varname>bindnow</varname> flag must also be
|
||
disabled and incompatible programs typically fail with similar errors at
|
||
runtime.
|
||
</para>
|
||
</listitem>
|
||
</varlistentry>
|
||
<varlistentry>
|
||
<term>
|
||
<varname>bindnow</varname>
|
||
</term>
|
||
<listitem>
|
||
<para>
|
||
Adds the <option>-z bindnow</option> linker option. During program load,
|
||
all dynamic symbols are resolved, allowing for the complete GOT to be
|
||
marked read-only (due to <varname>relro</varname>). This prevents GOT
|
||
overwrite attacks. For very large applications, this can incur some
|
||
performance loss during initial load while symbols are resolved, but this
|
||
shouldn't be an issue for daemons.
|
||
</para>
|
||
<para>
|
||
This flag can break dynamic shared object loading. For instance, the
|
||
module systems of Xorg and PHP are incompatible with this flag. Programs
|
||
incompatible with this flag often fail at runtime due to missing symbols,
|
||
like:
|
||
</para>
|
||
<programlisting>
|
||
intel_drv.so: undefined symbol: vgaHWFreeHWRec
|
||
</programlisting>
|
||
</listitem>
|
||
</varlistentry>
|
||
</variablelist>
|
||
|
||
<para>
|
||
The following flags are disabled by default and should be enabled with
|
||
<varname>hardeningEnable</varname> for packages that take untrusted input
|
||
like network services.
|
||
</para>
|
||
|
||
<variablelist>
|
||
<varlistentry>
|
||
<term>
|
||
<varname>pie</varname>
|
||
</term>
|
||
<listitem>
|
||
<para>
|
||
Adds the <option>-fPIE</option> compiler and <option>-pie</option> linker
|
||
options. Position Independent Executables are needed to take advantage of
|
||
Address Space Layout Randomization, supported by modern kernel versions.
|
||
While ASLR can already be enforced for data areas in the stack and heap
|
||
(brk and mmap), the code areas must be compiled as position-independent.
|
||
Shared libraries already do this with the <varname>pic</varname> flag, so
|
||
they gain ASLR automatically, but binary .text regions need to be build
|
||
with <varname>pie</varname> to gain ASLR. When this happens, ROP attacks
|
||
are much harder since there are no static locations to bounce off of
|
||
during a memory corruption attack.
|
||
</para>
|
||
</listitem>
|
||
</varlistentry>
|
||
</variablelist>
|
||
|
||
<para>
|
||
For more in-depth information on these hardening flags and hardening in
|
||
general, refer to the
|
||
<link xlink:href="https://wiki.debian.org/Hardening">Debian Wiki</link>,
|
||
<link xlink:href="https://wiki.ubuntu.com/Security/Features">Ubuntu
|
||
Wiki</link>,
|
||
<link xlink:href="https://wiki.gentoo.org/wiki/Project:Hardened">Gentoo
|
||
Wiki</link>, and the
|
||
<link xlink:href="https://wiki.archlinux.org/index.php/DeveloperWiki:Security">
|
||
Arch Wiki</link>.
|
||
</para>
|
||
</section>
|
||
</chapter>
|