Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

stdenv.darwin: bootstrap darwin using updated tools #301252

Closed
wants to merge 1 commit into from
Closed

stdenv.darwin: bootstrap darwin using updated tools #301252

wants to merge 1 commit into from

Conversation

ghost
Copy link

@ghost ghost commented Apr 3, 2024
edited by ghost
Loading

Description of changes

  • update the hashes and tools needed to extract the bootstrap-tools archive

  • unify the x64 and aarch64 unpack process

  • second try of stdenv.darwin: bootstrap darwin using updated tools #295558 but after xz downgrade to 5.4.2

  • considered downgrading xz further for tools to 5.2.5 so not have to update again as 5.4.2 has commits from malicious committer but stuck with xz version in nixpkgs

  • considered using zstd / gzip for compression of tarball / unpack.nar but nix doesn't support gz for nar files

tools from:

testing:

maintainers/scripts/bootstrap-files/refresh-tarballs.bash --targets=aarch64-apple-darwin,x86_64-apple-darwin
for sys in aarch64 x86_64; nix-build  -A stdenv --system ${sys}-darwin

Things done

  • Built on platform(s)
    • x86_64-linux
    • aarch64-linux
    • x86_64-darwin
    • aarch64-darwin
  • For non-Linux: Is sandboxing enabled in nix.conf? (See Nix manual)
    • sandbox = relaxed
    • sandbox = true
  • Tested, as applicable:
  • Tested compilation of all packages that depend on this change using nix-shell -p nixpkgs-review --run "nixpkgs-review rev HEAD". Note: all changes have to be committed, also see nixpkgs-review usage
  • Tested basic functionality of all binary files (usually in ./result/bin/)
  • 24.05 Release Notes (or backporting 23.05 and 23.11 Release notes)
    • (Package updates) Added a release notes entry if the change is major or breaking
    • (Module updates) Added a release notes entry if the change is significant
    • (Module addition) Added a release notes entry if adding a new NixOS module
  • Fits CONTRIBUTING.md.

Add a 👍 reaction to pull requests you find important.

@ofborg ofborg bot added the 6.topic: darwin Running or building packages on Darwin label Apr 3, 2024
@github-actions github-actions bot added the 6.topic: stdenv Standard environment label Apr 3, 2024
@ghost ghost linked an issue Apr 3, 2024 that may be closed by this pull request
Tracking issue: Update Darwin bootstrap files #222717
Closed
@ofborg ofborg bot added 10.rebuild-darwin-stdenv This PR causes stdenv to rebuild 10.rebuild-darwin: 501+ 10.rebuild-darwin: 5001+ 10.rebuild-linux: 0 This PR does not cause any packages to rebuild on Linux labels Apr 3, 2024
@ghost ghost linked an issue Apr 3, 2024 that may be closed by this pull request
aarch64-darwin bootstrap-tools libc++.1.0.dylib LC_RPATH is wrong #294518
Closed
@ghost
Copy link
Author

ghost commented Apr 3, 2024

aarch64-apple-darwin

sha256sum of files to be uploaded:

sha256sum /nix/store/zxxcz7sza5ypy061rsg7cmr7h0a96hbb-stdenv-bootstrap-tools/on-server/*

6b7ece80c7531e31722ace144f1a03ef3c7a4dedc0ef3b128e16c51f36cdc50f  /nix/store/zxxcz7sza5ypy061rsg7cmr7h0a96hbb-stdenv-bootstrap-tools/on-server/bootstrap-tools.tar.xz
8b267b5946822fe4037be198d3c23ee6c2b7eec7fbeb7413c36e04854bf4da25  /nix/store/zxxcz7sza5ypy061rsg7cmr7h0a96hbb-stdenv-bootstrap-tools/on-server/unpack.nar.xz

Suggested commands to upload files to 'tarballs.nixos.org':

nix-store --realize /nix/store/zxxcz7sza5ypy061rsg7cmr7h0a96hbb-stdenv-bootstrap-tools
aws s3 cp --recursive --acl public-read /nix/store/zxxcz7sza5ypy061rsg7cmr7h0a96hbb-stdenv-bootstrap-tools/on-server/ s3://nixpkgs-tarballs/stdenv/aarch64-apple-darwin/d03a4482228d4d6dbd2d4b425b6dfcd49ebe765f
aws s3 cp --recursive s3://nixpkgs-tarballs/stdenv/aarch64-apple-darwin/d03a4482228d4d6dbd2d4b425b6dfcd49ebe765f ./
sha256sum bootstrap-tools.tar.xz unpack.nar.xz

x86_64-apple-darwin

sha256sum of files to be uploaded:

sha256sum /nix/store/lsl9rl3zj9nr318w471vvmlvxzj21b2k-stdenv-bootstrap-tools/on-server/*

dce06283395bbbf67a83cafb86c39683de474efec8270f4dbdb6a6c2fc3ef3cc  /nix/store/lsl9rl3zj9nr318w471vvmlvxzj21b2k-stdenv-bootstrap-tools/on-server/bootstrap-tools.tar.xz
53756aecf5ea3765034f39a3d8a780ae5ddc4b89570beb56eea01ffdd7c9fb96  /nix/store/lsl9rl3zj9nr318w471vvmlvxzj21b2k-stdenv-bootstrap-tools/on-server/unpack.nar.xz

Suggested commands to upload files to 'tarballs.nixos.org':

nix-store --realize /nix/store/lsl9rl3zj9nr318w471vvmlvxzj21b2k-stdenv-bootstrap-tools
aws s3 cp --recursive --acl public-read /nix/store/lsl9rl3zj9nr318w471vvmlvxzj21b2k-stdenv-bootstrap-tools/on-server/ s3://nixpkgs-tarballs/stdenv/x86_64-apple-darwin/d03a4482228d4d6dbd2d4b425b6dfcd49ebe765f
aws s3 cp --recursive s3://nixpkgs-tarballs/stdenv/x86_64-apple-darwin/d03a4482228d4d6dbd2d4b425b6dfcd49ebe765f ./
sha256sum bootstrap-tools.tar.xz unpack.nar.xz
sha256sum /nix/store/lsl9rl3zj9nr318w471vvmlvxzj21b2k-stdenv-bootstrap-tools/on-server/*

@ghost ghost requested a review from reckenrode April 3, 2024 22:43
@ghost ghost marked this pull request as ready for review April 3, 2024 22:44
stdenv.darwin: bootstrap darwin using updated tools
9a59dfc 
- update the hashes and tools needed to extract the bootstrap-tools archive
- unify the x64 and aarch64 unpack process
@ghost
Copy link
Author

ghost commented Apr 4, 2024

rebased with staging to get the fix #301310 for the format check workflow.

reckenrode
reckenrode approved these changes Apr 4, 2024
View reviewed changes
Copy link
Contributor

@reckenrode reckenrode left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Built successfully on x86_64-darwin and aarch64-darwin. lgtm

@ghost
Copy link
Author

ghost commented Apr 4, 2024

ping @lovesegfault for tools update (thanks!): info here #301252 (comment) hopefully no xz backdoors in this round.

@wegank wegank added the 12.approvals: 1 This PR was reviewed and approved by one reputable person label Apr 5, 2024
@ghost ghost closed this by deleting the head repository Apr 6, 2024
@lovesegfault
Copy link
Member

Uhhh, what? The contributor who got us to include the vulnerable xz in the Darwin bootstrap just deleted their account?

I have not uploaded the bootstrap tarballs here. I think perhaps we should revoke the vulnerable ones entirely? Even though AFAIK the xz malware does not do anything when running on Darwin.

cc. @mweinelt @reckenrode @grahamc

@mweinelt mweinelt requested a review from a team April 6, 2024 22:33
@risicle
Copy link
Contributor

risicle commented Apr 6, 2024

This was a-n-n-a-l-e-e, who is currently explaining on matrix the unrelated reason for deleting their account.

@mweinelt
Copy link
Member

mweinelt commented Apr 7, 2024

Uhhh, what? The contributor who got us to include the vulnerable xz in the Darwin bootstrap just deleted their account?

Let's be careful with any implications or accusations.

@wegank wegank mentioned this pull request Apr 7, 2024
Merged
13 tasks
This pull request was closed.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
6.topic: darwin Running or building packages on Darwin 6.topic: stdenv Standard environment 10.rebuild-darwin: 501+ 10.rebuild-darwin: 5001+ 10.rebuild-darwin-stdenv This PR causes stdenv to rebuild 10.rebuild-linux: 0 This PR does not cause any packages to rebuild on Linux 12.approvals: 1 This PR was reviewed and approved by one reputable person
Projects
None yet
Milestone
No milestone
5 participants
@lovesegfault @risicle @mweinelt @reckenrode @wegank