| 13 Sep 2025 |
 K900 | Legacy boot ISO | 17:23:03 |
 emily | we sure do | 17:23:14 |
| emily | until ElvishJerricco fixes it | 17:23:22 |
 Lun | is there a VM test that boots that legacy ISO? | 17:24:00 |
 ElvishJerricco | (hi, I have plans) | 17:24:06 |
| ElvishJerricco | nixos/tests/boot.nix | 17:24:17 |
| emily | aloisw: go build respects GOFLAGS, right? can't we just add -ldflags= to our GOFLAGS? | 17:24:51 |
| ElvishJerricco | specifically nixosTests.boot.bios{Usb,Cdrom} | 17:24:59 |
| emily | it's totally unclear to me why we do that stuff in
flags+=(''${tags:+-tags=$(concatStringsSep "," tags)})
flags+=(''${ldflags:+-ldflags="''${ldflags[*]}"})
flags+=("-p" "$NIX_BUILD_CORES")
| 17:25:03 |
| Lun | alrighty time to see if i broke the cdrom bootloader | 17:25:48 |
| emily | Lun: for https://github.com/NixOS/nixpkgs/pull/442510 I think what we want is
-
Go stuff actually should be in Bash I guess because CGO_ENABLED could be set at runtime, but it should key on that, and it needs to add -linkmode=external to ldflags; and then we need to figure out syncthing (maybe fixable by injecting -ldflags=… into GOFLAGS?), and later in a separate PR we can drop CGO_ENABLED = 0; where it's unnecessary but that's not a blocker
-
hardening flag docs need updating to not mention pie
-
treewide drop of hardening{Enable,Disable} for it and we should consider emitting a warning when it is passed after that (can be a separate PR)
| 17:28:20 |
 Alyssa Ross | Presumably we also need to make sure musl isn't regressing? Since previously adding the pie flag apparently fixed stuff. | 17:29:11 |
| Lun | Yeah will check some pkgsMusl. pkgsMusl.syncthing is currently broken due to how it adds the pie flag so it seems like it fixed some stuff broke some stuff. | 17:29:46 |
| emily | linkerd has this dubious thing
# Necessary for building Musl
if [[ $NIX_HARDENING_ENABLE =~ "pie" ]]; then
export GOFLAGS="-buildmode=pie $GOFLAGS"
fi
| 17:30:12 |
| emily | well we would be doing -buildmode=pie -ldflags=-linkmode=external by default | 17:30:31 |
| emily | when CGO_ENABLE != 0 | 17:30:33 |
| emily | so I guess the treewide sweep of those may be necessary to fix dynamic Musl yeah | 17:30:41 |
| Alyssa Ross | Was it specifically about Go? | 17:30:42 |
| emily | are we talking about | 17:31:04 |
| emily | pkgs/by-name/lw/lwan/package.nix
41: hardeningDisable = lib.optional stdenv.hostPlatform.isMusl "pie";
?
| 17:31:06 |
| emily | that's the only case I know where something is disabling pie for dynamic Musl, and I sort of suspect that it means to say isStatic | 17:31:18 |
| emily | https://github.com/NixOS/nixpkgs/pull/79970 maybe it was for dynamic | 17:31:54 |
| Alyssa Ross | I'm talking about us enabling pie by default on musl | 17:33:14 |
| Alyssa Ross | because it apparently fixed things | 17:33:17 |
| Alyssa Ross | if we remove the hardening option, we need to make sure we don't regress whatever that fixed | 17:33:33 |
| Lun | was first set way back in https://github.com/LunNova/nixpkgs/commit/6d531f354155043518a59161f42f24f5918e76ab | 17:38:28 |
| emily | https://github.com/NixOS/nixpkgs/pull/442668 oh no | 17:48:26 |
 aloisw | Yes that is one of the usual symptoms of FHS linker path. | 17:49:53 |
| K900 | I can't test those rebuilds locally and would like to avoid it unless necessary.
So let's make it everyone else's problem instead got it | 17:50:37 |
| emily | well they were explicitly told a split package might be a good idea on the previous PR | 17:51:29 |
