replaceDependencies: evolve from replaceDependency

Rewrite replaceDependency so that it can apply multiple replacements in one go. This includes correctly handling the case where one of the replacements itself needs to have another replacement applied as well. This rewritten function is now aptly called replaceDependencies. For compatibility, replaceDependency is retained as a simple wrapper over replaceDependencies. It will cause a rebuild because the unpatched dependency is now referenced by derivation instead of by storePath, but the functionality is equivalent.
NixOS · Oct 12, 2023 · 234917d · 234917d
1 parent 5ba549e
commit 234917d
Show file tree

Hide file tree

Showing 3 changed files with 142 additions and 84 deletions.
diff --git a/pkgs/build-support/replace-dependencies.nix b/pkgs/build-support/replace-dependencies.nix
@@ -0,0 +1,133 @@
+{ runCommandLocal, nix, lib }:
+
+# Replace some dependencies in the requisites tree of drv, propagating the change all the way up the tree, even within other replacements, without a full rebuild.
+# This can be useful, for example, to patch a security hole in libc and still use your system safely without rebuilding the world.
+# This should be a short term solution, as soon as a rebuild can be done the properly rebuilt derivation should be used.
+# Each old dependency and the corresponding new dependency MUST have the same-length name, and ideally should have close-to-identical directory layout.
+#
+# Example: safeFirefox = replaceDependencies {
+#   drv = firefox;
+#   replacements = [
+#     {
+#       oldDependency = glibc;
+#       newDependency = glibc.overrideAttrs (oldAttrs: {
+#         patches = oldAttrs.patches ++ [ ./fix-glibc-hole.patch ];
+#       });
+#     }
+#     {
+#       oldDependency = libwebp;
+#       newDependency = libwebp.overrideAttrs (oldAttrs: {
+#         patches = oldAttrs.patches ++ [ ./fix-libwebp-hole.patch ];
+#       });
+#     }
+#   ];
+# };
+# This will first rebuild glibc and libwebp with your security patches.
+# Then it copies over firefox (and all of its dependencies) without rebuilding further.
+# In particular, the glibc dependency of libwebp will be replaced by the patched version as well.
+#
+# In rare cases, it is possible for the replacement process to cause breakage (for example due to checksum mismatch).
+# The cutoffPredicate argument can be used to exempt the problematic packages from the replacement process.
+{ drv, replacements, cutoffPredicate ? _: false, verbose ? true }:
+
+let
+  inherit (lib) substring stringLength concatStringsSep mapAttrsToList;
+  inherit (lib.attrsets) mergeAttrsList;
+
+  toContextlessString = x:
+    builtins.unsafeDiscardStringContext (builtins.toString x);
+  warn = if verbose then builtins.trace else (x: y: y);
+
+  referencesOf = drv:
+    import (runCommandLocal "references.nix" {
+      exportReferencesGraph = [ "graph" drv ];
+    } ''
+      (echo {
+      while read path
+      do
+          echo "  \"$path\" = ["
+          read count
+          read count
+          while [ "0" != "$count" ]
+          do
+              read ref_path
+              if [ "$ref_path" != "$path" ]
+              then
+                  echo "    \"$ref_path\""
+              fi
+              count=$(($count - 1))
+          done
+          echo "  ];"
+      done < graph
+      echo }) > $out
+    '').outPath;
+  rewriteHashes = drv: rewrites:
+    if rewrites == { } then
+      drv
+    else
+      let
+        drvName = substring 33 (stringLength (baseNameOf drv)) (baseNameOf drv);
+      in runCommandLocal drvName { nixStore = "${nix}/bin/nix-store"; } ''
+        $nixStore --dump ${drv} | sed 's|${
+          baseNameOf drv
+        }|'$(basename $out)'|g' | sed -e ${
+          concatStringsSep " -e " (mapAttrsToList
+            (name: value: "'s|${baseNameOf name}|${baseNameOf value}|g'")
+            rewrites)
+        } | $nixStore --restore $out
+      '';
+
+  knownDerivations = [ drv ]
+    ++ builtins.map ({ newDependency, ... }: newDependency) replacements;
+  referencesMemo = builtins.listToAttrs (builtins.map (drv: {
+    name = toContextlessString drv;
+    value = referencesOf drv;
+  }) knownDerivations);
+  relevantReferences = mergeAttrsList (builtins.attrValues referencesMemo);
+  # Make sure a derivation is returned even when no replacements are actually applied.
+  # Yes, even in the stupid edge case where the root derivation itself is replaced.
+  storePathOrKnownDerivationMemo =
+    builtins.mapAttrs (drv: _references: builtins.storePath drv)
+    relevantReferences // builtins.listToAttrs (builtins.map (drv: {
+      name = toContextlessString drv;
+      value = drv;
+    }) knownDerivations);
+
+  relevantReplacements = builtins.filter ({ oldDependency, newDependency }:
+    if builtins.toString oldDependency == builtins.toString newDependency then
+      warn
+      "replaceDependencies: attempting to replace dependency ${oldDependency} of ${drv} with itself"
+      # Attempting to replace a dependency by itself is completely useless, and would only lead to infinite recursion.
+      # Hence it must not be attempted to apply this replacement in any case.
+      false
+    else if !builtins.hasAttr (toContextlessString oldDependency)
+    referencesMemo.${toContextlessString drv} then
+      warn "replaceDependencies: ${drv} does not depend on ${oldDependency}"
+      # Handle the corner case where one of the other replacements introduces the dependency.
+      # It would be more correct to not show the warning in this case, but the added complexity is probably not worth it.
+      true
+    else
+      true) replacements;
+
+  rewriteMemo = builtins.mapAttrs (drv: references:
+    let
+      rewrittenReferences = builtins.filter
+        (dep: dep != drv && builtins.toString rewriteMemo.${dep} != dep)
+        references;
+      rewrites = builtins.listToAttrs (builtins.map (reference: {
+        name = reference;
+        value = rewriteMemo.${reference};
+      }) rewrittenReferences);
+    in rewriteHashes storePathOrKnownDerivationMemo.${drv} rewrites)
+    relevantReferences // builtins.listToAttrs (builtins.map
+      ({ oldDependency, newDependency }: {
+        name = toContextlessString oldDependency;
+        value = rewriteMemo.${toContextlessString newDependency};
+      }) relevantReplacements) // builtins.listToAttrs (builtins.map (drv: {
+        name = drv;
+        value = storePathOrKnownDerivationMemo.${drv};
+      }) (builtins.filter cutoffPredicate
+        (builtins.attrNames relevantReferences)));
+in assert builtins.all ({ oldDependency, newDependency }:
+  stringLength oldDependency == stringLength newDependency) replacements;
+rewriteMemo.${toContextlessString drv}
diff --git a/pkgs/build-support/replace-dependency.nix b/pkgs/build-support/replace-dependency.nix
diff --git a/pkgs/top-level/all-packages.nix b/pkgs/top-level/all-packages.nix
@@ -1345,7 +1345,15 @@ with pkgs;
 
   substituteAllFiles = callPackage ../build-support/substitute-files/substitute-all-files.nix { };
 
-  replaceDependency = callPackage ../build-support/replace-dependency.nix { };
+  replaceDependencies = callPackage ../build-support/replace-dependencies.nix { };
+
+  replaceDependency = { drv, oldDependency, newDependency, verbose ? true }: replaceDependencies {
+    inherit drv verbose;
+    replacements = [{
+      inherit oldDependency newDependency;
+    }];
+    cutoffPredicate = dep: dep == builtins.toString drv;
+  };
 
   nukeReferences = callPackage ../build-support/nuke-references {
     inherit (darwin) signingUtils;