From 153867a4e3e5ab4aa9706f214e3baae773caa47b Mon Sep 17 00:00:00 2001 From: Alex James Date: Sat, 30 Mar 2024 15:30:44 -0500 Subject: [PATCH] cargo: avoid using system curl on darwin Modern versions of macOS link the system-provided curl library against the system-provided libressl library. On recent versions of macOS, the system libressl library reads from /private/etc/ssl/openssl.cnf. As this path is not included in the default Nix sandbox profile, applications that use the system curl library will report a permission error [1]. This issue affects the bootstrap version of cargo and can be seen while building rustc for darwin with the sandbox enabled [2]. This change works around the sandbox failure by using install_name_tool to patch the cargo binary to use curl provided by Nix, which was the approach used in oxalica/rust-overlay [3]. [1]: https://github.com/NixOS/nix/issues/9625 [2]: https://gist.github.com/al3xtjames/06bf71ceffd745eef20be8ce03b982c5 [3]: https://github.com/oxalica/rust-overlay/pull/149 --- pkgs/development/compilers/rust/binary.nix | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/pkgs/development/compilers/rust/binary.nix b/pkgs/development/compilers/rust/binary.nix index df3b8f729f7f9..0a6343e9bd943 100644 --- a/pkgs/development/compilers/rust/binary.nix +++ b/pkgs/development/compilers/rust/binary.nix @@ -124,7 +124,10 @@ rec { patchShebangs ./install.sh ./install.sh --prefix=$out \ --components=cargo - + '' + lib.optionalString stdenv.hostPlatform.isDarwin '' + install_name_tool -change "/usr/lib/libcurl.4.dylib" \ + "${curl.out}/lib/libcurl.4.dylib" "$out/bin/cargo" + '' + '' wrapProgram "$out/bin/cargo" \ --suffix PATH : "${rustc}/bin" '';