Skip to content

Commit

Permalink
cargo: avoid using system curl on darwin
Browse files Browse the repository at this point in the history
Modern versions of macOS link the system-provided curl library against
the system-provided libressl library. On recent versions of macOS, the
system libressl library reads from /private/etc/ssl/openssl.cnf. As this
path is not included in the default Nix sandbox profile, applications
that use the system curl library will report a permission error [1].

This issue affects the bootstrap version of cargo and can be seen while
building rustc for darwin with the sandbox enabled [2]. This change
works around the sandbox failure by using install_name_tool to patch the
cargo binary to use curl provided by Nix, which was the approach used in
oxalica/rust-overlay [3].

[1]: NixOS/nix#9625
[2]: https://gist.github.com/al3xtjames/06bf71ceffd745eef20be8ce03b982c5
[3]: oxalica/rust-overlay#149
  • Loading branch information
al3xtjames committed Mar 30, 2024
1 parent 85bd601 commit 0f29b34
Showing 1 changed file with 4 additions and 1 deletion.
5 changes: 4 additions & 1 deletion pkgs/development/compilers/rust/binary.nix
Original file line number Diff line number Diff line change
Expand Up @@ -92,7 +92,10 @@ rec {
patchShebangs ./install.sh
./install.sh --prefix=$out \
--components=cargo
'' + lib.optionalString stdenv.isDarwin ''
install_name_tool -change "/usr/lib/libcurl.4.dylib" \
"${curl.out}/lib/libcurl.4.dylib" "$out/bin/cargo"
'' + ''
wrapProgram "$out/bin/cargo" \
--suffix PATH : "${rustc}/bin"
'';
Expand Down

0 comments on commit 0f29b34

Please sign in to comment.