mirror of
https://github.com/NixOS/nixpkgs.git
synced 2024-11-30 02:42:59 +00:00
aaeeef5b6c
Replaces / Closes #353131 A while ago `postgresql` switched to using structured attrs[1]. In the PR it was reported that this made postgresql notably slower when importing SQL dumps[2]. After a bit of debugging it turned out that the hardening was entirely missing and the following combination of settings was the culprit: hardeningEnable = [ "pie" ]; __structuredAttrs = true; I.e. the combination of custom hardening settings and structured attrs. What happened here is that internally the default and enabled hardening flags get written into `NIX_HARDENING_ENABLE`. However, the value is a list and the setting is not in the `env` section. This means that in the structured-attrs case we get something like declare -ax NIX_HARDENING_ENABLE=([0]="bindnow" [1]="format" [2]="fortify" [3]="fortify3" [4]="pic" [5]="relro" [6]="stackprotector" [7]="strictoverflow" [8]="zerocallusedregs" [9]="pie") i.e. an actual array rather than a string with all hardening flags being space-separated which is what the hardening code of the cc-wrapper expects[3]. This only happens if `hardeningEnable` or `hardeningDisable` are explicitly set by a derivation: if none of those are set, `NIX_HARDENING_ENABLE` won't be set by `stdenv.mkDerivation` and the default hardening flags are configured by the setup hook of the cc-wrapper[4]. In other words, this _only_ applies to derivations that have both custom hardening settings _and_ `__structuredAttrs = true;`. All values of `NIX_HARDENING_ENABLE` are well-known, so we don't have to worry about escaping issues. Just forcing it to a string by concatenating the list everytime solves the issue without additional issues like eval errors when inheriting `env` from a structuredAttrs derivation[5]. The price we're paying is a full rebuild. [1] https://github.com/NixOS/nixpkgs/pull/294504 [2] https://github.com/NixOS/nixpkgs/pull/294504#issuecomment-2451482522 [3] |
||
---|---|---|
.. | ||
auto-patchelf-hook | ||
build-environment-info | ||
buildFHSEnv | ||
cc-wrapper | ||
check-by-name | ||
checkpointBuild | ||
coq | ||
cross | ||
cuda | ||
cue | ||
dhall | ||
dotnet | ||
haskell | ||
hooks | ||
install-shell-files | ||
ld-library-path | ||
make-binary-wrapper | ||
make-hardcode-gsettings-patch | ||
make-wrapper | ||
nixos-functions | ||
php | ||
release | ||
replace-vars | ||
simple | ||
stdenv | ||
stdenv-inputs | ||
substitute | ||
systemd | ||
texlive | ||
top-level | ||
vim | ||
config.nix | ||
default.nix | ||
kernel.nix | ||
overriding.nix |