Merge pull request #208103 from raboof/neovim-reproducible

neovim: make the build reproducible
2023-01-05 13:17:38 +01:00 · 2023-01-05 13:17:38 +01:00 · af0b453724
parent c2b75a520a 90c4a2ebc3
commit af0b453724
2 changed files with 32 additions and 2 deletions
--- a/pkgs/applications/editors/neovim/default.nix
+++ b/pkgs/applications/editors/neovim/default.nix
@ -1,4 +1,5 @@
 { lib, stdenv, fetchFromGitHub, cmake, gettext, msgpack, libtermkey, libiconv
+, fetchpatch
 , libuv, lua, ncurses, pkg-config
 , unibilium, gperf
 , libvterm-neovim
@ -19,6 +20,16 @@ let
        nvim-client luv coxpcall busted luafilesystem penlight inspect
      ]
    ));
+  codegenLua =
+    if lua.pkgs.isLuaJIT
+      then
+        let deterministicLuajit =
+          lua.override {
+            deterministicStringIds = true;
+            self = deterministicLuajit;
+          };
+        in deterministicLuajit.withPackages(ps: [ ps.mpack ps.lpeg ])
+      else lua;

  pyEnv = python3.withPackages(ps: with ps; [ pynvim msgpack ]);
 in
@ -38,6 +49,13 @@ in
      # necessary so that nix can handle `UpdateRemotePlugins` for the plugins
      # it installs. See https://github.com/neovim/neovim/issues/9413.
      ./system_rplugin_manifest.patch
+      # make the build reproducible, rebased version of
+      # https://github.com/neovim/neovim/pull/21586
+      (fetchpatch {
+        name = "neovim-build-make-generated-source-files-reproducible.patch";
+        url = "https://github.com/raboof/neovim/commit/485dd2af3efbfd174163583c46e0bb2a01ff04f1.patch";
+        hash = "sha256-9aRVK4lDkL/W4RVjeKptrZFY7rYYBx6/RGR4bQSbCsM=";
+      })
    ];

    dontFixCmake = true;
@ -89,7 +107,7 @@ in
      substituteInPlace src/nvim/version.c --replace NVIM_VERSION_CFLAGS "";
    '';
    # check that the above patching actually works
-    disallowedReferences = [ stdenv.cc ];
+    disallowedReferences = [ stdenv.cc ] ++ lib.optional (lua != codegenLua) codegenLua;

    cmakeFlags = [
      # Don't use downloaded dependencies. At the end of the configurePhase one
@ -101,7 +119,12 @@ in
    ++ lib.optional (!lua.pkgs.isLuaJIT) "-DPREFER_LUA=ON"
    ;

-    preConfigure = lib.optionalString stdenv.isDarwin ''
+    preConfigure = lib.optionalString lua.pkgs.isLuaJIT ''
+      cmakeFlagsArray+=(
+        "-DLUAC_PRG=${codegenLua}/bin/luajit -b -s %s -"
+        "-DLUA_GEN_PRG=${codegenLua}/bin/luajit"
+      )
+    '' + lib.optionalString stdenv.isDarwin ''
      substituteInPlace src/nvim/CMakeLists.txt --replace "    util" ""
    '';

--- a/pkgs/development/interpreters/luajit/default.nix
+++ b/pkgs/development/interpreters/luajit/default.nix
@ -25,6 +25,12 @@
 , enableAPICheck ? false
 , enableVMAssertions ? false
 , useSystemMalloc ? false
+# Upstream generates randomized string id's by default for security reasons
+# https://github.com/LuaJIT/LuaJIT/issues/626. Deterministic string id's should
+# never be needed for correctness (that should be fixed in the lua code),
+# but may be helpful when you want to embed jit-compiled raw lua blobs in
+# binaries that you want to be reproducible.
+, deterministicStringIds ? false
 , luaAttr ? "luajit_${lib.versions.major version}_${lib.versions.minor version}"
 } @ inputs:
 assert enableJITDebugModule -> enableJIT;
@ -44,6 +50,7 @@ let
    ++ optional enableGDBJITSupport "-DLUAJIT_USE_GDBJIT"
    ++ optional enableAPICheck "-DLUAJIT_USE_APICHECK"
    ++ optional enableVMAssertions "-DLUAJIT_USE_ASSERT"
+    ++ optional deterministicStringIds "-DLUAJIT_SECURITY_STRID=0"
  ;
 in
 stdenv.mkDerivation rec {