Qumulo's heimdal patches rebased on heimdal 7.8.0#3
Open
PhilipTaronQ wants to merge 13 commits into
Open
Conversation
PhilipTaronQ
force-pushed
the
qumulo-master
branch
7 times, most recently
from
b6fce30 to
87b8ecf
Compare
PhilipTaronQ
force-pushed
the
qumulo-master
branch
2 times, most recently
from
640e96f to
a80d217
Compare
These are the Qumulo vim plugins as of March 23, 2025.
Since 7459fe9 (nodejs: make nodejs_* depend on nodejs-slim_*), npm was split into a separate output on nodejs-slim. The passthru.pkgs in nodejs.nix passes nodejs = self (slim) to node-env.nix, so npm was absent from buildInputs, causing "npm: command not found" during builds. Fix by adding nodejs.npm to buildInputs when the attribute exists.
…c 2.27 Uses nixpkgs cross-compilation with LLVM 21 and a crossOverlay that replaces glibc with Ubuntu Bionic's libc6/libc6-dev/linux-libc-dev extracted from .deb packages. Produces binaries linked against glibc 2.27.
Move the variant logic into pkgs/top-level/ubuntu-bionic.nix to avoid upstream merge conflicts in variants.nix and make per-package adjustments easy via let bindings. Disable wolfssl tests (NSS hostname resolution fails with vanilla glibc 2.27 inside the Nix sandbox).
Keep self.callPackage in variants.nix so ubuntu-bionic.nix never receives the outer package set. Merge the two crossOverlays into one.
Fix common build failures when cross-compiling against the Ubuntu Bionic (glibc 2.27, kernel 4.15) sysroot with LLVM 21: - Disable tests for 10 packages whose test suites try to execute cross-compiled binaries (gdbm, libarchive, libffi, libgcrypt, libgpg-error, libpsl, openssl, p11-kit, sqlite, unbound). - bash/bashNonInteractive: disable fortify hardening — Bionic's fortify headers redefine asprintf as a macro that conflicts with bash's own extern declaration in braces.c. - elfutils: suppress -Wunused-but-set-variable (promoted to error by -Werror; caught by clang but not gcc). - gnutls: disable kTLS (Bionic's 4.15 headers lack TLS_RX, AES-CCM structs) and C++ bindings (gnulib string.h conflicts with libc++). - python313: clear RUNSHARED in the generated Makefile — it sets LD_LIBRARY_PATH to the build dir, causing the native Python to load the cross-compiled libpython, which pulls in the sysroot's libpthread with GLIBC_PRIVATE symbols the build host lacks. - glib: disable GObject introspection — g-ir-scanner links a temporary binary against native libs that need GLIBC_2.29+. - gettext: force am_cv_func_iconv_works=yes (configure test tries to run a cross binary) and suppress -Wincompatible-function-pointer-types (clang 21 error in libtextstyle's iconv-ostream.c).
Build graphviz to produce libcgraph, libgvc, libgvpr, libpathplan, and libxdot for the Bionic sysroot. Drop gts, pango, and gd from buildInputs — these pull in glib variants with GObject introspection enabled through nixpkgs' cross-compilation splicing. The spliced glib variants bypass the crossOverlay's withIntrospection=false override, and g-ir-scanner fails because it links a temporary binary against both native libraries (needing GLIBC_2.29+) and the Bionic sysroot (glibc 2.27). The dropped deps are only needed for text rendering (pango), image output (gd), and 3D surface meshes (gts) — none of which are required by the core graph libraries. Also disable X11 support (withXorg=false) since the target environment doesn't have X libraries.
Build RPM to produce librpm, librpmbuild, librpmio, and librpmsign for the Bionic sysroot. Disable several RPM dependencies that can't cross-compile against the Bionic sysroot: - rpm-sequoia (Rust): build scripts are compiled and executed on the build host, but same-arch cross-compilation causes them to link against the sysroot's libpthread, which references GLIBC_PRIVATE symbols absent from the build host's glibc. Use RPM's internal OpenPGP implementation with libgcrypt instead. - audit: requires kernel headers newer than Bionic's 4.15 (linux/io_uring.h, AUDIT_ARCH_RISCV*). - systemd: requires glibc 2.28+ (threads.h, struct statx). - gnupg: stripped to minimal — disable pcsclite (needs dbus→audit), TPM2, OpenLDAP (needs systemd via cyrus-sasl), GUI, libusb (needs systemd-minimal-libs); force am_cv_func_iconv_works=yes for the same cross-compilation iconv detection issue as gettext.
Build wireshark-cli to produce libwireshark, libwiretap, and libwsutil for the Bionic sysroot. The Wireshark dependency chain hits several Bionic-incompatible packages. Fix them: - audit: requires kernel 4.18+ headers (io_uring.h, AUDIT_ARCH_RISCV*). Disable audit in linux-pam (withAudit=false) and dbus (audit=null). - systemd: requires glibc 2.28+ (threads.h, struct statx). Disable in dbus (enableSystemd=false). - libcap: disable Go (same-arch sysroot contamination makes build scripts load the cross libpthread) and PAM (needs audit). - libpcap: disable Bluetooth support — bluez depends on the dbus→audit chain. Override wireshark's libpcap' to use our bluez-free libpcap. - speexdsp/spandsp3: need Fortran (fftw) which can't cross-compile with our toolchain. Drop from buildInputs; disable sharkd and stratoshark (the only consumers of speexdsp). - lemon: CMake stores clang-specific flags (-Xclang -analyzer-disable-all-checks) then applies them when compiling lemon with the native gcc. Strip them from build.ninja. - NL80211_BAND_6GHZ: missing from Bionic's 4.15 kernel headers. Define it via NIX_CFLAGS_COMPILE.
- Use dpkg's unpack hook instead of manual dpkg-deb invocation - Combine two sed substitutions into one extended regex - Remove unnecessary conditional around arch-specific header copy (meta.platforms already constrains to x86_64-linux) - Remove unused bin output - Remove defensive || true on static lib copy
PhilipTaronQ
force-pushed
the
qumulo-master
branch
from
a80d217 to
5e9fbc3
Compare
- openldap: disable systemd (needs glibc 2.28+ threads.h/statx) and tests (try to run cross-compiled slapd) - heimdal: pass --undefined-version to lld (libroken's version script lists compat shims not compiled on Linux) and disable tests - linux-pam: disable logind (same systemd issue) and pass --undefined-version (modules.map lists pam_sm_* symbols that individual modules don't all define)
Qumulo maintains a set of patches on top of Heimdal for custom NTLM server support, NTLMv2, GSSAPI MIC IOV operations, debug hooks, and other integrations. These were originally maintained against the chapeltech/heimdal "few-small-fixes" fork; this package rebases them onto the upstream 7.8.0 source used by nixpkgs. Patches ported from the Qumulo toolchain: - 01: custom NTLM server interface - 03: mock clock for testing - 05: SPNEGO NTLM fallback - 11: NTLMv2 authentication - 13: export SSPI session key OID - 16: krb5_set_debug_dest_facility() - 17: gsskrb5 release_name optimization - 18: gss_get_mic_iov() implementation - 19: gss_verify_mic_iov() implementation - 32: Qumulo hooks for config/keytab/NTLM file interception - 35: NTLM Type 1 message encoding fix CVE patches 20-31 are dropped (already fixed in 7.8.0).
Same --undefined-version lld workaround as regular heimdal.
qcwallace
force-pushed
the
qumulo-master
branch
3 times, most recently
from
648c6aa to
263e35c
Compare
PhilipTaronQ
force-pushed
the
qumulo-master
branch
2 times, most recently
from
30143a0 to
3cb3018
Compare
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Commit 1 (633f496): pkgsUbuntu.bionic: add heimdal cross-compilation overrides
--undefined-versionfor lld + disabled tests--undefined-versionfor lldCommit 2 (fae1f93): heimdal-qumulo: init, Heimdal 7.8.0 with Qumulo patches
pkgs/by-name/he/heimdal-qumulo/Commit 3 (1ac0826): pkgsUbuntu.bionic: add heimdal-qumulo cross-compilation override