From 5d0761048cc523ab9860a99888c0f01c3e3480d5 Mon Sep 17 00:00:00 2001 From: eilvelia Date: Tue, 10 Dec 2024 00:22:37 +0000 Subject: [PATCH] opam: fix opam sandboxing on nixos, cleanup To make opam sandboxing (via bwrap) work on nixos, the following had been used here: --set OPAM_USER_PATH_RO /run/current-system/sw/bin:/nix/ However, OPAM_USER_PATH_RO has been removed in opam 2.2.0, requiring a new workaround: https://github.com/ocaml/opam/commit/9b6370d6fef68750f41435261ee2965c49e8806a (Before this commit, executing `opam init` would display that sandboxing fails with "bwrap: execvp sh: No such file or directory".) - Removes outdated workarounds for ocp-build and argv0, cleans postInstall - Fixes link to the changelog which was broken because of "with lib;" (cherry picked from commit 5a51e70e7545cc72816eb01c4f840459160cd316) --- pkgs/development/tools/ocaml/opam/default.nix | 30 ++++++++----------- 1 file changed, 12 insertions(+), 18 deletions(-) diff --git a/pkgs/development/tools/ocaml/opam/default.nix b/pkgs/development/tools/ocaml/opam/default.nix index 4818e72f047a4..6911d3d25109d 100644 --- a/pkgs/development/tools/ocaml/opam/default.nix +++ b/pkgs/development/tools/ocaml/opam/default.nix @@ -4,12 +4,12 @@ assert lib.versionAtLeast ocaml.version "4.08.0"; -stdenv.mkDerivation { +stdenv.mkDerivation (finalAttrs: { pname = "opam"; version = "2.3.0"; src = fetchurl { - url = "https://github.com/ocaml/opam/releases/download/2.3.0/opam-full-2.3.0.tar.gz"; + url = "https://github.com/ocaml/opam/releases/download/${finalAttrs.version}/opam-full-${finalAttrs.version}.tar.gz"; hash = "sha256-UGunaGXcMVtn35qonnq9XBqJen8KkteyaUl0/cUys0Y="; }; @@ -23,36 +23,30 @@ stdenv.mkDerivation { patches = [ ./opam-shebangs.patch ]; preConfigure = '' - patchShebangs src/state/shellscripts + # Fix opam sandboxing on nixos. Remove after opam >= 2.4.0 is released + substituteInPlace src/state/shellscripts/bwrap.sh \ + --replace-fail 'for dir in /*; do' 'for dir in /{*,run/current-system/sw}; do' ''; configureFlags = [ "--with-vendored-deps" "--with-mccs" ]; - # Dirty, but apparently ocp-build requires a TERM - makeFlags = ["TERM=screen"]; - outputs = [ "out" "installer" ]; setOutputFlags = false; - # change argv0 to "opam" as a workaround for - # https://github.com/ocaml/opam/issues/2142 postInstall = '' - mv $out/bin/opam $out/bin/.opam-wrapped - makeWrapper $out/bin/.opam-wrapped $out/bin/opam \ - --argv0 "opam" \ - --suffix PATH : ${unzip}/bin:${curl}/bin:${lib.optionalString stdenv.hostPlatform.isLinux "${bubblewrap}/bin:"}${getconf}/bin \ - --set OPAM_USER_PATH_RO /run/current-system/sw/bin:/nix/ + wrapProgram $out/bin/opam \ + --suffix PATH : ${lib.makeBinPath ([ curl getconf unzip ] ++ lib.optionals stdenv.hostPlatform.isLinux [ bubblewrap ])} $out/bin/opam-installer --prefix=$installer opam-installer.install ''; doCheck = false; - meta = with lib; { + meta = { description = "Package manager for OCaml"; homepage = "https://opam.ocaml.org/"; - changelog = "https://github.com/ocaml/opam/raw/${version}/CHANGES"; + changelog = "https://github.com/ocaml/opam/raw/${finalAttrs.version}/CHANGES"; maintainers = [ ]; - license = licenses.lgpl21Only; - platforms = platforms.all; + license = lib.licenses.lgpl21Only; + platforms = lib.platforms.all; }; -} +})