-
-
Notifications
You must be signed in to change notification settings - Fork 13.7k
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
replaceDependencies: evolve from replaceDependency
Rewrite replaceDependency so that it can apply multiple replacements in one go. This includes correctly handling the case where one of the replacements itself needs to have another replacement applied as well. This rewritten function is now aptly called replaceDependencies. For compatibility, replaceDependency is retained as a simple wrapper over replaceDependencies. It will cause a rebuild because the unpatched dependency is now referenced by derivation instead of by storePath, but the functionality is equivalent.
- Loading branch information
Showing
3 changed files
with
142 additions
and
84 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,133 @@ | ||
{ runCommandLocal, nix, lib }: | ||
|
||
# Replace some dependencies in the requisites tree of drv, propagating the change all the way up the tree, even within other replacements, without a full rebuild. | ||
# This can be useful, for example, to patch a security hole in libc and still use your system safely without rebuilding the world. | ||
# This should be a short term solution, as soon as a rebuild can be done the properly rebuilt derivation should be used. | ||
# Each old dependency and the corresponding new dependency MUST have the same-length name, and ideally should have close-to-identical directory layout. | ||
# | ||
# Example: safeFirefox = replaceDependencies { | ||
# drv = firefox; | ||
# replacements = [ | ||
# { | ||
# oldDependency = glibc; | ||
# newDependency = glibc.overrideAttrs (oldAttrs: { | ||
# patches = oldAttrs.patches ++ [ ./fix-glibc-hole.patch ]; | ||
# }); | ||
# } | ||
# { | ||
# oldDependency = libwebp; | ||
# newDependency = libwebp.overrideAttrs (oldAttrs: { | ||
# patches = oldAttrs.patches ++ [ ./fix-libwebp-hole.patch ]; | ||
# }); | ||
# } | ||
# ]; | ||
# }; | ||
# This will first rebuild glibc and libwebp with your security patches. | ||
# Then it copies over firefox (and all of its dependencies) without rebuilding further. | ||
# In particular, the glibc dependency of libwebp will be replaced by the patched version as well. | ||
# | ||
# In rare cases, it is possible for the replacement process to cause breakage (for example due to checksum mismatch). | ||
# The cutoffPredicate argument can be used to exempt the problematic packages from the replacement process. | ||
{ drv, replacements, cutoffPredicate ? _: false, verbose ? true }: | ||
|
||
let | ||
inherit (lib) substring stringLength concatStringsSep mapAttrsToList; | ||
inherit (lib.attrsets) mergeAttrsList; | ||
|
||
toContextlessString = x: | ||
builtins.unsafeDiscardStringContext (builtins.toString x); | ||
warn = if verbose then builtins.trace else (x: y: y); | ||
|
||
referencesOf = drv: | ||
import (runCommandLocal "references.nix" { | ||
exportReferencesGraph = [ "graph" drv ]; | ||
} '' | ||
(echo { | ||
while read path | ||
do | ||
echo " \"$path\" = [" | ||
read count | ||
read count | ||
while [ "0" != "$count" ] | ||
do | ||
read ref_path | ||
if [ "$ref_path" != "$path" ] | ||
then | ||
echo " \"$ref_path\"" | ||
fi | ||
count=$(($count - 1)) | ||
done | ||
echo " ];" | ||
done < graph | ||
echo }) > $out | ||
'').outPath; | ||
rewriteHashes = drv: rewrites: | ||
if rewrites == { } then | ||
drv | ||
else | ||
let | ||
drvName = substring 33 (stringLength (baseNameOf drv)) (baseNameOf drv); | ||
in runCommandLocal drvName { nixStore = "${nix}/bin/nix-store"; } '' | ||
$nixStore --dump ${drv} | sed 's|${ | ||
baseNameOf drv | ||
}|'$(basename $out)'|g' | sed -e ${ | ||
concatStringsSep " -e " (mapAttrsToList | ||
(name: value: "'s|${baseNameOf name}|${baseNameOf value}|g'") | ||
rewrites) | ||
} | $nixStore --restore $out | ||
''; | ||
|
||
knownDerivations = [ drv ] | ||
++ builtins.map ({ newDependency, ... }: newDependency) replacements; | ||
referencesMemo = builtins.listToAttrs (builtins.map (drv: { | ||
name = toContextlessString drv; | ||
value = referencesOf drv; | ||
}) knownDerivations); | ||
relevantReferences = mergeAttrsList (builtins.attrValues referencesMemo); | ||
# Make sure a derivation is returned even when no replacements are actually applied. | ||
# Yes, even in the stupid edge case where the root derivation itself is replaced. | ||
storePathOrKnownDerivationMemo = | ||
builtins.mapAttrs (drv: _references: builtins.storePath drv) | ||
relevantReferences // builtins.listToAttrs (builtins.map (drv: { | ||
name = toContextlessString drv; | ||
value = drv; | ||
}) knownDerivations); | ||
|
||
relevantReplacements = builtins.filter ({ oldDependency, newDependency }: | ||
if builtins.toString oldDependency == builtins.toString newDependency then | ||
warn | ||
"replaceDependencies: attempting to replace dependency ${oldDependency} of ${drv} with itself" | ||
# Attempting to replace a dependency by itself is completely useless, and would only lead to infinite recursion. | ||
# Hence it must not be attempted to apply this replacement in any case. | ||
false | ||
else if !builtins.hasAttr (toContextlessString oldDependency) | ||
referencesMemo.${toContextlessString drv} then | ||
warn "replaceDependencies: ${drv} does not depend on ${oldDependency}" | ||
# Handle the corner case where one of the other replacements introduces the dependency. | ||
# It would be more correct to not show the warning in this case, but the added complexity is probably not worth it. | ||
true | ||
else | ||
true) replacements; | ||
|
||
rewriteMemo = builtins.mapAttrs (drv: references: | ||
let | ||
rewrittenReferences = builtins.filter | ||
(dep: dep != drv && builtins.toString rewriteMemo.${dep} != dep) | ||
references; | ||
rewrites = builtins.listToAttrs (builtins.map (reference: { | ||
name = reference; | ||
value = rewriteMemo.${reference}; | ||
}) rewrittenReferences); | ||
in rewriteHashes storePathOrKnownDerivationMemo.${drv} rewrites) | ||
relevantReferences // builtins.listToAttrs (builtins.map | ||
({ oldDependency, newDependency }: { | ||
name = toContextlessString oldDependency; | ||
value = rewriteMemo.${toContextlessString newDependency}; | ||
}) relevantReplacements) // builtins.listToAttrs (builtins.map (drv: { | ||
name = drv; | ||
value = storePathOrKnownDerivationMemo.${drv}; | ||
}) (builtins.filter cutoffPredicate | ||
(builtins.attrNames relevantReferences))); | ||
in assert builtins.all ({ oldDependency, newDependency }: | ||
stringLength oldDependency == stringLength newDependency) replacements; | ||
rewriteMemo.${toContextlessString drv} |
This file was deleted.
Oops, something went wrong.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters