less: Fix withSecure regression

[azuwis]

The regression was introduced by #350981.

You can tell if less is run in secure mode by:

$ less flake.nix
# press `v`

In secure mode, the status bar shows Command not available (press RETURN).

In non-secure mode, less will open the file with $EDITOR.

Also configs in ~/.config/lesskey does not work anymore, so home-manager option programs.less.keys is broken.

Things done

• Built on platform(s)
  • x86_64-linux
  • aarch64-linux
  • x86_64-darwin
  • aarch64-darwin
• For non-Linux: Is sandboxing enabled in nix.conf? (See Nix manual)
  • sandbox = relaxed
  • sandbox = true
• Tested, as applicable:
  • NixOS test(s) (look inside nixos/tests)
  • and/or package tests
  • or, for functions and "core" functionality, tests in lib/tests or pkgs/test
  • made sure NixOS tests are linked to the relevant packages
• Tested compilation of all packages that depend on this change using nix-shell -p nixpkgs-review --run "nixpkgs-review rev HEAD". Note: all changes have to be committed, also see nixpkgs-review usage
• Tested basic functionality of all binary files (usually in ./result/bin/)
• 24.11 Release Notes (or backporting 23.11 and 24.05 Release notes)
  • (Package updates) Added a release notes entry if the change is major or breaking
  • (Module updates) Added a release notes entry if the change is significant
  • (Module addition) Added a release notes entry if adding a new NixOS module
• Fits CONTRIBUTING.md.

---

Add a 👍 reaction to pull requests you find important.

[bpeetz]

The underlying issue seems to have been fixed in: gwsw/less#584.

[AndersonTorres]

Please fetchpatch this:

gwsw/less@8fff6c5

[azuwis]

The patch does not apply clearly on less-668:

> Running phase: patchPhase
> applying patch /nix/store/yi1pbixylac1d2ncqla5mkvxys20h8xr-8fff6c56bfc833528b31ebdaee871f65fbe342b1.patch
> patching file NEWS
> Hunk #1 succeeded at 42 with fuzz 2 (offset -18 lines).
> patching file configure.ac
> patching file version.c
> Hunk #1 FAILED at 1036.
> 1 out of 1 hunk FAILED -- saving rejects to file version.c.rej

If maintaining patch backport is preferred, I'll leave it for other skilled people than me.

[bpeetz]

I think we could just vendor the configure.ac related parts of the patch, as only the
additions to the various changelogs fail to apply.

The resulting patch file would then be something like this:

From 8fff6c56bfc833528b31ebdaee871f65fbe342b1 Mon Sep 17 00:00:00 2001
From: Mark Nudelman <[email protected]>
Date: Fri, 1 Nov 2024 18:46:59 -0700
Subject: [PATCH] Fix configure parameters --with-secure=no and
 --without-secure.

configure.ac was invoking AC_ARG_WITH incorrectly. The third
parameter is the action to take when the --with-secure parameter
is present, even if its value is "no".

Related to ##584.
---
 configure.ac | 7 ++++---
 1 file changed, 4 insertions(+), 3 deletions(-)

diff --git a/configure.ac b/configure.ac
index 3a24bdf7..379c53bc 100644
--- a/configure.ac
+++ b/configure.ac
@@ -351,10 +351,11 @@ fi

 # Compile in secure mode?
 AC_ARG_WITH(secure,
-  [  --with-secure           Compile in secure mode],
+  [  --with-secure           Compile in secure mode])
+AS_IF([test "x$with_secure" = "xyes"],[
   AC_DEFINE(SECURE_COMPILE, 1)
-  AC_SUBST(SECURE_COMPILE,1), AC_DEFINE(SECURE_COMPILE, 0)
-  AC_SUBST(SECURE_COMPILE,0))
+  AC_SUBST(SECURE_COMPILE,1)], [AC_DEFINE(SECURE_COMPILE, 0)
+  AC_SUBST(SECURE_COMPILE,0)])

 # Checks for regular expression functions.
 have_regex=no

This applies cleanly on top of the v668-rel tag.

[r-vdp]

You can use fetchpatch to fetch the patch, and pass it the file you want to patch in includes, which will filter out all others.

Something like:

patches = [
  (fetchpatch {
    url = "...";
    hash = "...";
    includes = [
      "configure.ac"
    ];
  })
}

[azuwis]

Please fetchpatch this:

gwsw/less@8fff6c5

Done.

You can use fetchpatch to fetch the patch, and pass it the file you want to patch in includes, which will filter out all others.

Thanks.

[r-vdp]

LGTM.

Feel free to ping me once ofborg is done evaluating, and we can merge this.

[Scrumplex]

This triggers 419 rebuilds. Should we move this to staging?

Changes LGTM. withSecure works as it should

Edit: I asked in the Staging matrix chat and this should be good to go!

[vcunat]

@Scrumplex: 419 rebuilds? What's the source? I believe this rebuilds all of haskellPackages on *-darwin (in particular, haskellPackages.ghc). That's many thousand rebuilds.

EDIT: I see ofBorg labels, so... I don't know. Anyway, I expect this isn't too urgent and we move it to staging? (will still reach 24.11)

EDIT2: for reference you can

nix eval -f. haskellPackages.ghc.outPath --argstr system aarch64-darwin

(and I came here by bisecting on the result of that)

[Scrumplex]

I ran nixpkgs-review rev HEAD after checking this branch out locally, which showed 419 rebuilds.

I definitely remember seeing multiple electron applications, multiple components from KDE's PIM suite and some other larger rebuilds. But I don't remember seeing any haskellPackages.*.

Edit: I ran this on x86_64-linux

Edit2:

EDIT: I see ofBorg labels, so... I don't know. Anyway, I expect this isn't too urgent and we move it to staging? (will still reach 24.11)

That should be okay.

[vcunat]

On {x86_64,aarch64}-linux the haskell packages won't rebuild, apparently. No idea why the difference.

[azuwis]

I compare the 2 derivations on aarch64-darwin and found darwin.file_cmds changed.

$ nix derivation show -f. haskellPackages.ghc.outPath > /tmp/a.json
$ git revert 63c7cab6d30ccb7cd1298ea66a1e1db6a42cbcfb
$ nix derivation show -f. haskellPackages.ghc.outPath > /tmp/b.json

$ nix path-info --recursive -f . darwin.file_cmds  
these 10 paths will be fetched (2.65 MiB download, 15.53 MiB unpacked):
  /nix/store/nqpj68jf53882pd7jfqxnq8ynqj9i1fb-copyfile-213
  /nix/store/ywh7i7ky6v4m15ij9qpyzd2vg1kfgvr1-file_cmds-448.0.3
  /nix/store/bysda9fvgzr3g9b7bv2rlx7fmxvh98ii-file_cmds-448.0.3-man
  /nix/store/r87kqv68c32nfh8lnsahcz8hmsy6wnbp-file_cmds-448.0.3-xattr
  /nix/store/w4rd08nw0jphz1fypb33cdslkaf7ycqd-gettext-0.21.1
  /nix/store/4aaf7c9hqfygvc4m73mc753k7jgz3aq0-less-668
  /nix/store/bc7rs136fxwlyq2088vd65ld8ih1qxm4-libutil-72
  /nix/store/44yi7ik2vm8cbirwmvbmbpzxk4ywxxw3-libxo-1.7.5
  /nix/store/2kqs3pw5chna80lnr0lr5pgl66qv62c4-removefile-75
  /nix/store/ccmbsgzx1ka5lz0ygcxlny13xcg5iq54-shell_cmds-319.0.1

Looks like darwin.file_cmds depends on less, and causes massive rebuild, @reckenrode anything we can do to avoid this?

haskellPackages.ghc -> xattr --(on darwin)-> darwin.file_cmds.xattr -> darwin.file_cmds -> less

[azuwis]

Derivation diff

--- /tmp/a.json	2024-11-04 17:53:24.512231078 +0800
+++ /tmp/b.json	2024-11-04 17:53:10.748805508 +0800
@@ -1,5 +1,5 @@
 {
-  "/nix/store/yfrvnvc8myn2sbz20shl4mw0r5jm6g28-ghc-9.6.6.drv": {
+  "/nix/store/ksqflmb9gwslk9503wpkjk0b2wi6hbc6-ghc-9.6.6.drv": {
     "args": [
       "-e",
       "/nix/store/v6x3cs394jgqfbi0a42pam708flxaphh-default-builder.sh"
@@ -32,7 +32,7 @@
       "disallowedReferences": "/nix/store/m167dc498j2pb21nnrgmadfph7bk9180-ghc-binary-9.2.4",
       "doCheck": "",
       "doInstallCheck": "",
-      "doc": "/nix/store/bh8nqqfnls4ws2hwwxn5b0w0hcl8bs9w-ghc-9.6.6-doc",
+      "doc": "/nix/store/8xd2z24xbd1qsqf30xkfdsvnp7njdcqf-ghc-9.6.6-doc",
       "dontAddExtraLibs": "1",
       "dontStrip": "",
       "enableParallelBuilding": "1",
@@ -43,13 +43,13 @@
       "mesonFlags": "",
       "name": "ghc-9.6.6",
       "nativeBuildInputs": "/nix/store/7isk914abas0yr2cxgpsmyz2ihn8mf2n-perl-5.40.0 /nix/store/zi2ask1241f3a3888dybsljaav4rnzra-hadrian-9.6.6 /nix/store/3jmzqbmlczkj00ym2yygbrss3fkr2q48-alex-3.4.0.1 /nix/store/a6hd0b5aq6wyg89sz1arah66qcrgx5qg-happy-1.20.1.1 /nix/store/h9ll345c63m4ic1wxidqin1hddmrbvb7-hscolour-1.25 /nix/store/lkqaghqp1i4y268171sqxak1i2iz2nfl-autoconf-2.72 /nix/store/75msk7kfbc4pj297z8xyck0zjhybayqj-automake-1.16.5 /nix/store/kan0sc8ns3h9r8wp6q2c6hx0r2hv5ysf-gnum4-1.4.19 /nix/store/2djmffykchgm4q4j7ylv7xgkg441mp2j-python3-3.12.7 /nix/store/alwffgcv7hf1lb5nvlk2f6smbnggr4af-ghc-settings-edit-0.1.0 /nix/store/hisnblazif8adjrlq6g539b0d81z9z3l-auto-sign-darwin-binaries-hook /nix/store/0dj60gs9vgawh8h8fpf4fszij2av1q41-python3.12-sphinx-7.4.7",
-      "out": "/nix/store/csvxck318zb6jhjjwa76i5sffc5gwfjv-ghc-9.6.6",
+      "out": "/nix/store/vdx9vnxr4z1fnzx5ynijyc5jqyvbxppk-ghc-9.6.6",
       "outputs": "out doc",
       "patches": "",
       "pname": "ghc",
       "postInstall": "# leave bindist directory\npopd\n\nsettingsFile=\"$out/lib/ghc-9.6.6/lib/settings\"\n\n# Make the installed GHC use the host->target tools.\nghc-settings-edit \"$settingsFile\" \\\n  \"C compiler command\" \"/nix/store/700a0ayy1s1h7zg9dqiqy0xvmhfr26l6-clang-wrapper-16.0.6/bin/cc\" \\\n  \"Haskell CPP command\" \"/nix/store/700a0ayy1s1h7zg9dqiqy0xvmhfr26l6-clang-wrapper-16.0.6/bin/cc\" \\\n  \"C++ compiler command\" \"/nix/store/700a0ayy1s1h7zg9dqiqy0xvmhfr26l6-clang-wrapper-16.0.6/bin/c++\" \\\n  \"ld command\" \"/nix/store/vnkvxq7wqxg180awsv2rmira5pvc875p-cctools-binutils-darwin-wrapper-1010.6/bin/ld\" \\\n  \"Merge objects command\" \"/nix/store/vnkvxq7wqxg180awsv2rmira5pvc875p-cctools-binutils-darwin-wrapper-1010.6/bin/ld\" \\\n  \"ar command\" \"/nix/store/vnkvxq7wqxg180awsv2rmira5pvc875p-cctools-binutils-darwin-wrapper-1010.6/bin/ar\" \\\n  \"ranlib command\" \"/nix/store/vnkvxq7wqxg180awsv2rmira5pvc875p-cctools-binutils-darwin-wrapper-1010.6/bin/ranlib\"\nghc-settings-edit \"$settingsFile\" \\\n  \"otool command\" \"/nix/store/wli7d4k9sh4c6fwarw3afc5g5axwbjm8-cctools-binutils-darwin-1010.6/bin/otool\" \\\n  \"install_name_tool command\" \"/nix/store/wli7d4k9sh4c6fwarw3afc5g5axwbjm8-cctools-binutils-darwin-1010.6/bin/install_name_tool\"\n\n# Install the bash completion file.\ninstall -Dm 644 utils/completion/ghc.bash $out/share/bash-completion/completions/ghc\n",
       "postPatch": "patchShebangs --build .\n",
-      "preConfigure": "for env in $(env | grep '^TARGET_' | sed -E 's|\\+?=.*||'); do\n  export \"${env#TARGET_}=${!env}\"\ndone\n# No need for absolute paths since these tools only need to work during the build\nexport CC_STAGE0=\"$CC_FOR_BUILD\"\nexport LD_STAGE0=\"$LD_FOR_BUILD\"\nexport AR_STAGE0=\"$AR_FOR_BUILD\"\n\n# Stage0 (build->build) which builds stage 1\nexport GHC=\"/nix/store/m167dc498j2pb21nnrgmadfph7bk9180-ghc-binary-9.2.4/bin/ghc\"\n# GHC is a bit confused on its cross terminology, as these would normally be\n# the *host* tools.\nexport CC=\"/nix/store/700a0ayy1s1h7zg9dqiqy0xvmhfr26l6-clang-wrapper-16.0.6/bin/cc\"\nexport CXX=\"/nix/store/700a0ayy1s1h7zg9dqiqy0xvmhfr26l6-clang-wrapper-16.0.6/bin/c++\"\n# Use gold to work around https://sourceware.org/bugzilla/show_bug.cgi?id=16177\nexport LD=\"/nix/store/vnkvxq7wqxg180awsv2rmira5pvc875p-cctools-binutils-darwin-wrapper-1010.6/bin/ld\"\nexport AS=\"/nix/store/vnkvxq7wqxg180awsv2rmira5pvc875p-cctools-binutils-darwin-wrapper-1010.6/bin/as\"\nexport AR=\"/nix/store/vnkvxq7wqxg180awsv2rmira5pvc875p-cctools-binutils-darwin-wrapper-1010.6/bin/ar\"\nexport NM=\"/nix/store/vnkvxq7wqxg180awsv2rmira5pvc875p-cctools-binutils-darwin-wrapper-1010.6/bin/nm\"\nexport RANLIB=\"/nix/store/vnkvxq7wqxg180awsv2rmira5pvc875p-cctools-binutils-darwin-wrapper-1010.6/bin/ranlib\"\nexport READELF=\"/nix/store/vnkvxq7wqxg180awsv2rmira5pvc875p-cctools-binutils-darwin-wrapper-1010.6/bin/readelf\"\nexport STRIP=\"/nix/store/vnkvxq7wqxg180awsv2rmira5pvc875p-cctools-binutils-darwin-wrapper-1010.6/bin/strip\"\nexport OBJDUMP=\"/nix/store/vnkvxq7wqxg180awsv2rmira5pvc875p-cctools-binutils-darwin-wrapper-1010.6/bin/objdump\"\nexport OTOOL=\"/nix/store/wli7d4k9sh4c6fwarw3afc5g5axwbjm8-cctools-binutils-darwin-1010.6/bin/otool\"\nexport INSTALL_NAME_TOOL=\"/nix/store/wli7d4k9sh4c6fwarw3afc5g5axwbjm8-cctools-binutils-darwin-1010.6/bin/install_name_tool\"\nexport NIX_LDFLAGS+=\" -no_dtrace_dof\"\n\n# GHC tries the host xattr /usr/bin/xattr by default which fails since it expects python to be 2.7\nexport XATTR=/nix/store/z9awz7b4x5ym5c5sksf2nbgyf04if876-file_cmds-448.0.3-xattr/bin/xattr\nhadrianFlagsArray=(\n  \"-j$NIX_BUILD_CORES\"\n  \n)\n",
+      "preConfigure": "for env in $(env | grep '^TARGET_' | sed -E 's|\\+?=.*||'); do\n  export \"${env#TARGET_}=${!env}\"\ndone\n# No need for absolute paths since these tools only need to work during the build\nexport CC_STAGE0=\"$CC_FOR_BUILD\"\nexport LD_STAGE0=\"$LD_FOR_BUILD\"\nexport AR_STAGE0=\"$AR_FOR_BUILD\"\n\n# Stage0 (build->build) which builds stage 1\nexport GHC=\"/nix/store/m167dc498j2pb21nnrgmadfph7bk9180-ghc-binary-9.2.4/bin/ghc\"\n# GHC is a bit confused on its cross terminology, as these would normally be\n# the *host* tools.\nexport CC=\"/nix/store/700a0ayy1s1h7zg9dqiqy0xvmhfr26l6-clang-wrapper-16.0.6/bin/cc\"\nexport CXX=\"/nix/store/700a0ayy1s1h7zg9dqiqy0xvmhfr26l6-clang-wrapper-16.0.6/bin/c++\"\n# Use gold to work around https://sourceware.org/bugzilla/show_bug.cgi?id=16177\nexport LD=\"/nix/store/vnkvxq7wqxg180awsv2rmira5pvc875p-cctools-binutils-darwin-wrapper-1010.6/bin/ld\"\nexport AS=\"/nix/store/vnkvxq7wqxg180awsv2rmira5pvc875p-cctools-binutils-darwin-wrapper-1010.6/bin/as\"\nexport AR=\"/nix/store/vnkvxq7wqxg180awsv2rmira5pvc875p-cctools-binutils-darwin-wrapper-1010.6/bin/ar\"\nexport NM=\"/nix/store/vnkvxq7wqxg180awsv2rmira5pvc875p-cctools-binutils-darwin-wrapper-1010.6/bin/nm\"\nexport RANLIB=\"/nix/store/vnkvxq7wqxg180awsv2rmira5pvc875p-cctools-binutils-darwin-wrapper-1010.6/bin/ranlib\"\nexport READELF=\"/nix/store/vnkvxq7wqxg180awsv2rmira5pvc875p-cctools-binutils-darwin-wrapper-1010.6/bin/readelf\"\nexport STRIP=\"/nix/store/vnkvxq7wqxg180awsv2rmira5pvc875p-cctools-binutils-darwin-wrapper-1010.6/bin/strip\"\nexport OBJDUMP=\"/nix/store/vnkvxq7wqxg180awsv2rmira5pvc875p-cctools-binutils-darwin-wrapper-1010.6/bin/objdump\"\nexport OTOOL=\"/nix/store/wli7d4k9sh4c6fwarw3afc5g5axwbjm8-cctools-binutils-darwin-1010.6/bin/otool\"\nexport INSTALL_NAME_TOOL=\"/nix/store/wli7d4k9sh4c6fwarw3afc5g5axwbjm8-cctools-binutils-darwin-1010.6/bin/install_name_tool\"\nexport NIX_LDFLAGS+=\" -no_dtrace_dof\"\n\n# GHC tries the host xattr /usr/bin/xattr by default which fails since it expects python to be 2.7\nexport XATTR=/nix/store/r87kqv68c32nfh8lnsahcz8hmsy6wnbp-file_cmds-448.0.3-xattr/bin/xattr\nhadrianFlagsArray=(\n  \"-j$NIX_BUILD_CORES\"\n  \n)\n",
       "preInstall": "pushd _build/bindist/*\n\nexport InstallNameToolCmd=$INSTALL_NAME_TOOL\nexport OtoolCmd=$OTOOL\n$configureScript $configureFlags \"${configureFlagsArray[@]}\"\n",
       "propagatedBuildInputs": "",
       "propagatedNativeBuildInputs": "",
@@ -74,12 +74,6 @@
           "out"
         ]
       },
-      "/nix/store/5bhpflsh4v55wnir77dll5x2znpp6w17-file_cmds-448.0.3.drv": {
-        "dynamicOutputs": {},
-        "outputs": [
-          "xattr"
-        ]
-      },
       "/nix/store/62sadwh9mwfgxmk6kx62yia20rd1j5w4-clang-wrapper-16.0.6.drv": {
         "dynamicOutputs": {},
         "outputs": [
@@ -210,6 +204,12 @@
         "outputs": [
           "out"
         ]
+      },
+      "/nix/store/zh57rrnv0ayvqg6fng59y8p6w57p5y0b-file_cmds-448.0.3.drv": {
+        "dynamicOutputs": {},
+        "outputs": [
+          "xattr"
+        ]
       }
     },
     "inputSrcs": [
@@ -218,10 +218,10 @@
     "name": "ghc-9.6.6",
     "outputs": {
       "doc": {
-        "path": "/nix/store/bh8nqqfnls4ws2hwwxn5b0w0hcl8bs9w-ghc-9.6.6-doc"
+        "path": "/nix/store/8xd2z24xbd1qsqf30xkfdsvnp7njdcqf-ghc-9.6.6-doc"
       },
       "out": {
-        "path": "/nix/store/csvxck318zb6jhjjwa76i5sffc5gwfjv-ghc-9.6.6"
+        "path": "/nix/store/vdx9vnxr4z1fnzx5ynijyc5jqyvbxppk-ghc-9.6.6"
       }
     },
     "system": "aarch64-darwin"

[reckenrode]

Looks like darwin.file_cmds depends on less, and causes massive rebuild, @reckenrode anything we can do to avoid this?

Looks like this was moved to staging, which is what my recommendation would have been. I don’t know why ofborg thinks there are so few Darwin rebuilds if it will rebuild all of haskellPackages.

[nixos-discourse]

This pull request has been mentioned on NixOS Discourse. There might be relevant details there:

https://discourse.nixos.org/t/less-not-using-lesspipe/56022/4