Commit d4a8bab
committed
judy: revert Darwin reproducibility fixes
It was already reproducible: the only reason it seemed not to be was due
to a quirk of how `--rebuild` works on macOS. Since the implementation
of the Nix sandbox on macOS is unable to change the meaning of paths,
when rebuilding a derivation, it can't be done at the same path as the
original. Instead, the rebuild occurs with a different output path, and
the output is scanned for instances of that path so that they can be
replaced with the correct one afterwards (ala ca-derivations).
Unfortunately, macOS's codesigning system seems to include the hash of
the signed binary as part of its signature, including any incorrect
paths it contains. This results in the binaries still being different
after the path replacement step has occured.
The reason to go out of our way to revert this is that the workaround to
avoid including the output path in any binaries includes replacing the
install name of judy with `@rpath/*` rather than its absolute path,
which breaks at least one dependency that doesn't add it to RPATH
(gtkwave), and possibly others.
To confirm that it's reproducible:
```
drv=$(nix eval .#judy --apply "pkg: (pkg.overrideAttrs { __REBUILD = true; }).drvPath" --raw)
out=$(nix derivation show "$drv" | jq -r ".[].outputs.out.path")
nix build "$drv^*" --no-link
cp -r "$out" rebuild-1
nix store delete "$out" --option keep-outputs false
nix build "$drv^*" --no-link
cp -r "$out" rebuild-2
diff -r rebuild-1 rebuild-2
```1 parent 959931a commit d4a8bab
1 file changed
+0
-5
lines changed| Original file line number | Diff line number | Diff line change | |
|---|---|---|---|
| |||
23 | 23 | | |
24 | 24 | | |
25 | 25 | | |
26 | | - | |
27 | | - | |
28 | | - | |
29 | | - | |
30 | | - | |
31 | 26 | | |
32 | 27 | | |
33 | 28 | | |
| |||
0 commit comments