From 20752ba4f76250509d4dd89a0bf44c808cc589b9 Mon Sep 17 00:00:00 2001 From: Guillaume Bouchard Date: Tue, 12 Nov 2019 21:07:58 +0100 Subject: [PATCH] bazel: improve strict action env context - Bazel strict action env set a default PATH to `/bin/:/usr/bin:/usr/local/bin`. This was previously changed to disable this behavior to improve hermeticity. However the previous change was only removing `/bin:/usr/bin`, keeping `/usr/local/bin`, this commit also remove this entry. --- .../tools/build-managers/bazel/default.nix | 20 +++++++++++-------- .../bazel/strict_action_env.patch | 13 ++++++++++++ 2 files changed, 25 insertions(+), 8 deletions(-) create mode 100644 pkgs/development/tools/build-managers/bazel/strict_action_env.patch diff --git a/pkgs/development/tools/build-managers/bazel/default.nix b/pkgs/development/tools/build-managers/bazel/default.nix index 74a4ff4a3da6..3064eb92043e 100644 --- a/pkgs/development/tools/build-managers/bazel/default.nix +++ b/pkgs/development/tools/build-managers/bazel/default.nix @@ -19,6 +19,7 @@ , enableNixHacks ? false , gcc-unwrapped , autoPatchelfHook +, substituteAll }: let @@ -145,6 +146,17 @@ stdenv.mkDerivation rec { # This is breaking the build of any C target. This patch removes the last # argument if it's found to be an empty string. ./trim-last-argument-to-gcc-if-empty.patch + + # --experimental_strict_action_env (which may one day become the default + # see bazelbuild/bazel#2574) hardcodes the default + # action environment to a non hermetic value (e.g. "/usr/local/bin"). + # This is non hermetic on non-nixos systems. On NixOS, bazel cannot find the required binaries. + # So we are replacing this bazel paths by defaultShellPath, + # improving hermeticity and making it work in nixos. + (substituteAll { + src = ./strict_action_env.patch; + strictActionEnvPatch = defaultShellPath; + }) ] ++ lib.optional enableNixHacks ./nix-hacks.patch; @@ -390,14 +402,6 @@ stdenv.mkDerivation rec { -e "/\$command \\\\$/a --host_java_toolchain='${javaToolchain}' \\\\" \ -i scripts/bootstrap/compile.sh - # --experimental_strict_action_env (which will soon become the - # default, see bazelbuild/bazel#2574) hardcodes the default - # action environment to a value that on NixOS at least is bogus. - # So we hardcode it to something useful. - substituteInPlace \ - src/main/java/com/google/devtools/build/lib/bazel/rules/BazelRuleClassProvider.java \ - --replace /bin:/usr/bin ${defaultShellPath} - # This is necessary to avoid: # "error: no visible @interface for 'NSDictionary' declares the selector # 'initWithContentsOfURL:error:'" diff --git a/pkgs/development/tools/build-managers/bazel/strict_action_env.patch b/pkgs/development/tools/build-managers/bazel/strict_action_env.patch new file mode 100644 index 000000000000..1402c20f6bdb --- /dev/null +++ b/pkgs/development/tools/build-managers/bazel/strict_action_env.patch @@ -0,0 +1,13 @@ +diff --git a/src/main/java/com/google/devtools/build/lib/bazel/rules/BazelRuleClassProvider.java b/src/main/java/com/google/devtools/build/lib/bazel/rules/BazelRuleClassProvider.java +index a70b5559bc..10bdffe961 100644 +--- a/src/main/java/com/google/devtools/build/lib/bazel/rules/BazelRuleClassProvider.java ++++ b/src/main/java/com/google/devtools/build/lib/bazel/rules/BazelRuleClassProvider.java +@@ -466,7 +466,7 @@ public class BazelRuleClassProvider { + // Note that --action_env does not propagate to the host config, so it is not a viable + // workaround when a genrule is itself built in the host config (e.g. nested genrules). See + // #8536. +- return "/bin:/usr/bin:/usr/local/bin"; ++ return "@strictActionEnvPatch@"; + } + + String newPath = "";