Conversation
Xcode 26.0 sets `*_DEPLOYMENT_TARGET` env vars for all platforms in shell script build phases, which breaks invocations of clang from those phases, as they target the wrong platform.
We don't provide `eview` so we need to get rid of that manpage, and there's also a bad `man/man1/mvim.1` symlink that goes nowhere.
Pass `-headerpad_max_install_names` again. This is something we used to do, and then the flag got removed at some point. For some reason we need to provide it both to configure and to Xcode.
We need to resign the binary after running `install_name_tool` or it will have an invalid code signature.
MacVim currently fails to link against nixpkgs python because Xcode's
clang doesn't understand the LLVM bitcode in the
`libpython${pythonVersion}.a` static library. I'm not sure what this
static library is for when `lib/libpython${pythonVersion}.dylib` exists,
but I don't know of a way to tell MacVim to ignore it. Linking against
python works if we rebuild python to skip the static library but that
doesn't seem like a proper solution, so until a permanent solution is
found, just disable python by default.
Also mark macvim as no longer broken.
Updates macvim to r181, including bumping the Ruby version to 3.4 since that's what MacVim r181 is built against. There's still 3 CVEs in the `knownVulnerabilities` list that are newer than this release, but this is the latest MacVim release available right now.
|
I'm tempted to re-add myself as maintainer for this package again, but I'd have to add myself back to the maintainer list first. |
nixpkgs-ci
bot
added
10.rebuild-darwin: 1-10
nixpkgs-ci
bot
added
the
9.needs: reviewer
|
I went ahead and added commits to put myself back into the maintainer list. |
nixpkgs-ci
bot
added
the
8.has: maintainer-list (update)
| --replace-warn " -L${stdenv.cc.libc}/lib" "" \ | ||
| --replace-warn " -L${darwin.libunwind}/lib" "" \ | ||
| --replace-warn " -L${libiconv}/lib" "" |
There was a problem hiding this comment.
| --replace-warn " -L${stdenv.cc.libc}/lib" "" \ | |
| --replace-warn " -L${darwin.libunwind}/lib" "" \ | |
| --replace-warn " -L${libiconv}/lib" "" | |
| --replace-fail " -L${stdenv.cc.libc}/lib" "" \ | |
| --replace-fail " -L${darwin.libunwind}/lib" "" \ | |
| --replace-fail " -L${libiconv}/lib" "" |
we probably want to fail to build if anything about this changes
There was a problem hiding this comment.
I basically don’t think these should be an issue at all these days. We do build our own libiconv, but I doubt it hurts anything – stdenv already propagates it, so it’s almost surely on the linker path even if we substitute this away. stdenv.cc.libc and darwin.libunwind are stub packages and we link against the system versions of those libraries using the stubs in the SDK. I can’t imagine these can’t just be removed without issue.
There was a problem hiding this comment.
I just tweaked them to be --replace-warn since I noticed there was a warning about using bare --replace, but I didn't feel like checking if the replacements were actually still finding anything to replace (since this is a rather old hack and stuff has changed since then). I can try deleting them outright and seeing what happens, though if I'm going to end up actually switching over to the nixpkgs toolchain for building this (in a future PR) then this will all get replaced anyway.
| # Note: The shell script build phase in question uses /bin/zsh. | ||
| + '' | ||
| substituteInPlace src/MacVim/MacVim.xcodeproj/project.pbxproj \ | ||
| --replace-fail 'make \' $'for x in ''${(k)parameters}; do if [[ $x = *_DEPLOYMENT_TARGET ]]; then [[ $x = MACOSX_DEPLOYMENT_TARGET ]] || unset $x; fi; done\nmake \\' |
There was a problem hiding this comment.
At some point I would recommend doing a patch instead 😅
| ++ optionals enablePython [ | ||
| "--enable-python3interp=dynamic" | ||
| ] | ||
| ++ [ | ||
| "--enable-perlinterp=dynamic" | ||
| "--enable-rubyinterp=dynamic" | ||
| "--enable-tclinterp=yes" | ||
| "--without-local-dir" | ||
| "--with-luajit" | ||
| "--with-lua-prefix=${luajit}" | ||
| ] | ||
| ++ optionals enablePython [ |
There was a problem hiding this comment.
Maybe reorder things to only have one condition
| src = fetchFromGitHub { | ||
| owner = "macvim-dev"; | ||
| repo = "macvim"; | ||
| rev = "release-${finalAttrs.version}"; |
There was a problem hiding this comment.
| rev = "release-${finalAttrs.version}"; | |
| tag = "release-${finalAttrs.version}"; |
nixpkgs-ci
bot
removed
the
9.needs: reviewer
emilazy
left a comment
emilazy
left a comment
There was a problem hiding this comment.
FWIW, I doubt that most of the contortions in this build are necessary these days, now that we have actual SDKs and modern Clang. I expect this can be made into a relatively normal package with at most making things like ibtool(1) available – which could be obtained either impurely or from our darwin.xcode package. That would also likely make it a lot less fragile with regards to the toolchain churn that has affected it a lot.
I won’t block on this, but I would strongly suggest trying it to increase future maintainability – the mixing of toolchains here is inherently fragile, and should be completely unnecessary. Our SDKs contain the same headers and stubs that the native toolchain links against, and all the frameworks are available. All we are missing is the proprietary tools for things like Interface Builder files and Metal – but those don’t depend on the compiler toolchain, so can be pulled into a build with fewer hacks than are used here currently.
| --replace-warn " -L${stdenv.cc.libc}/lib" "" \ | ||
| --replace-warn " -L${darwin.libunwind}/lib" "" \ | ||
| --replace-warn " -L${libiconv}/lib" "" |
There was a problem hiding this comment.
I basically don’t think these should be an issue at all these days. We do build our own libiconv, but I doubt it hurts anything – stdenv already propagates it, so it’s almost surely on the linker path even if we substitute this away. stdenv.cc.libc and darwin.libunwind are stub packages and we link against the system versions of those libraries using the stubs in the SDK. I can’t imagine these can’t just be removed without issue.
| python3 | ||
| ]; | ||
| ] | ||
| ++ optional enablePython python3; |
There was a problem hiding this comment.
Using the Nixpkgs toolchain would presumably fix this.
| + optionalString stdenv.isAarch64 '' | ||
| # Resign the binary and set the linker-signed flag. | ||
| rcodesign sign --code-signature-flags linker-signed $exe |
There was a problem hiding this comment.
Is there a reason not to use autoSignDarwinBinariesHook here?
There was a problem hiding this comment.
The answer is that I didn't know about that hook. That said, we only need to resign one binary, and it looks like that hook is going to check every single file to see if it needs a signature, so that's going to end up doing a lot more work for the same effect.
There was a problem hiding this comment.
Fair enough. I’m surprised if install_name_tool is breaking the signature, as ours doesn’t, but maybe this is something weird with the Xcode toolchain being used here.
|
I really need to look more into the nixpkgs toolchain changes. This PR came about by just trying to get the darn thing working again, but if we can actually swap over to the nixpkgs toolchain and still expose |
emilazy
left a comment
emilazy
left a comment
There was a problem hiding this comment.
This seems fine as an incremental improvement. I didn’t test the build, because it scares me.
xcbuild being inadequate could indeed be a problem. Swift Build includes a FOSS implementation of the Xcode build system which should solve this, but it’s waiting on @reckenrode to finish his Swift 6.2 work for 26.05 before it’ll be available for us. I am not sure if our SDK can be used with the Xcode xcodebuild(1); I think in theory it should be possible, but IIRC Randy had to adjust the SDK to work with Swift Build, so there may be annoying complications. Still, it’s probably worth trying, or even just patching around xcbuild issues for now; I doubt the contortions for that could be worse than the ones this currently has to use. Otherwise, Swift Build should do the trick.
FWIW, it looks like the r181.2 prerelease isn’t affected by any of the remaining vulnerabilities, so we could probably bump to that.
| + optionalString stdenv.isAarch64 '' | ||
| # Resign the binary and set the linker-signed flag. | ||
| rcodesign sign --code-signature-flags linker-signed $exe |
There was a problem hiding this comment.
Fair enough. I’m surprised if install_name_tool is breaking the signature, as ours doesn’t, but maybe this is something weird with the Xcode toolchain being used here.
3 participants
This fixes the various ways in which the MacVim package was broken, and then updates it to r181.
One of the changes here is Python support has been disabled by default, with an
enablePythonconfiguration option added to reenable it. Enabling Python also requires overriding thepython3input to fix the breakage (e.g. by disabling static libpython and symlinking inlibpython${pythonVersion}.dylibinto the correct location).This also adds me back to the maintainer list and marks myself as maintainer of this package.
Changelogs:
Fixes #399964.
Things done
passthru.tests.nixpkgs-reviewon this PR. See nixpkgs-review usage../result/bin/.Add a 👍 reaction to pull requests you find important.