Add 'nixpkgs/' from commit 'abf060725d7614bd3b9f96764262dfbc2f9c2199'

git-subtree-dir: nixpkgs
git-subtree-mainline: 4e31070265257dc67d120c27e0f75c2344fdfa9a
git-subtree-split: abf060725d7614bd3b9f96764262dfbc2f9c2199

5 files changed, 925 insertions, 0 deletions

diff --git a/nixpkgs/pkgs/stdenv/darwin/darwin-secure-format.patch b/nixpkgs/pkgs/stdenv/darwin/darwin-secure-format.patch
new file mode 100644
index 000000000000..b14d8be6ef16
--- /dev/null
+++ b/nixpkgs/pkgs/stdenv/darwin/darwin-secure-format.patch
@@ -0,0 +1,15 @@
+With format string strictness, High Sierra also enforces that %n isn't used
+in dynamic format strings, but we should just disable its use on darwin in
+general.
+
+--- a/lib/vasnprintf.c	2017-06-22 15:19:15.000000000 -0700
++++ b/lib/vasnprintf.c	2017-06-22 15:20:20.000000000 -0700
+@@ -4869,7 +4869,7 @@ VASNPRINTF (DCHAR_T *resultbuf, size_t *
+ #endif
+                   *fbp = dp->conversion;
+ #if USE_SNPRINTF
+-# if !(((__GLIBC__ > 2 || (__GLIBC__ == 2 && __GLIBC_MINOR__ >= 3)) && !defined __UCLIBC__) || ((defined _WIN32 || defined __WIN32__) && ! defined __CYGWIN__))
++# if !defined(__APPLE__) && !(((__GLIBC__ > 2 || (__GLIBC__ == 2 && __GLIBC_MINOR__ >= 3)) && !defined __UCLIBC__) || ((defined _WIN32 || defined __WIN32__) && ! defined __CYGWIN__))
+                 fbp[1] = '%';
+                 fbp[2] = 'n';
+                 fbp[3] = '\0';
diff --git a/nixpkgs/pkgs/stdenv/darwin/default.nix b/nixpkgs/pkgs/stdenv/darwin/default.nix
new file mode 100644
index 000000000000..b7d8e3ba5236
--- /dev/null
+++ b/nixpkgs/pkgs/stdenv/darwin/default.nix
@@ -0,0 +1,457 @@
+{ lib
+, localSystem, crossSystem, config, overlays, crossOverlays ? []
+
+# Allow passing in bootstrap files directly so we can test the stdenv bootstrap process when changing the bootstrap tools
+, bootstrapFiles ? let
+  fetch = { file, sha256, executable ? true }: import <nix/fetchurl.nix> {
+    url = "http://tarballs.nixos.org/stdenv-darwin/x86_64/d5bdfcbfe6346761a332918a267e82799ec954d2/${file}";
+    inherit (localSystem) system;
+    inherit sha256 executable;
+  }; in {
+    sh      = fetch { file = "sh";    sha256 = "07wm33f1yzfpcd3rh42f8g096k4cvv7g65p968j28agzmm2s7s8m"; };
+    bzip2   = fetch { file = "bzip2"; sha256 = "0y9ri2aprkrp2dkzm6229l0mw4rxr2jy7vvh3d8mxv2698v2kdbm"; };
+    mkdir   = fetch { file = "mkdir"; sha256 = "0sb07xpy66ws6f2jfnpjibyimzb71al8n8c6y4nr8h50al3g90nr"; };
+    cpio    = fetch { file = "cpio";  sha256 = "0r5c54hg678w7zydx27bzl9p3v9fs25y5ix6vdfi1ilqim7xh65n"; };
+    tarball = fetch { file = "bootstrap-tools.cpio.bz2"; sha256 = "18hp5w6klr8g307ap4368r255qpzg9r0vwg9vqvj8f2zy1xilcjf"; executable = false; };
+  }
+}:
+
+assert crossSystem == localSystem;
+
+let
+  inherit (localSystem) system platform;
+
+  commonImpureHostDeps = [
+    "/bin/sh"
+    "/usr/lib/libSystem.B.dylib"
+    "/usr/lib/system/libunc.dylib" # This dependency is "hidden", so our scanning code doesn't pick it up
+  ];
+in rec {
+  commonPreHook = ''
+    export NIX_ENFORCE_PURITY="''${NIX_ENFORCE_PURITY-1}"
+    export NIX_ENFORCE_NO_NATIVE="''${NIX_ENFORCE_NO_NATIVE-1}"
+    export NIX_IGNORE_LD_THROUGH_GCC=1
+    stripAllFlags=" " # the Darwin "strip" command doesn't know "-s"
+    export MACOSX_DEPLOYMENT_TARGET=10.10
+    export SDKROOT=
+    export CMAKE_OSX_ARCHITECTURES=x86_64
+    # Workaround for https://openradar.appspot.com/22671534 on 10.11.
+    export gl_cv_func_getcwd_abort_bug=no
+  '';
+
+  bootstrapTools = derivation rec {
+    inherit system;
+
+    name    = "bootstrap-tools";
+    builder = bootstrapFiles.sh; # Not a filename! Attribute 'sh' on bootstrapFiles
+    args    = [ ./unpack-bootstrap-tools.sh ];
+
+    inherit (bootstrapFiles) mkdir bzip2 cpio tarball;
+    reexportedLibrariesFile =
+      ../../os-specific/darwin/apple-source-releases/Libsystem/reexported_libraries;
+
+    __impureHostDeps = commonImpureHostDeps;
+  };
+
+  stageFun = step: last: {shell             ? "${bootstrapTools}/bin/bash",
+                          overrides         ? (self: super: {}),
+                          extraPreHook      ? "",
+                          extraNativeBuildInputs,
+                          extraBuildInputs,
+                          libcxx,
+                          allowedRequisites ? null}:
+    let
+      name = "bootstrap-stage${toString step}";
+
+      buildPackages = lib.optionalAttrs (last ? stdenv) {
+        inherit (last) stdenv;
+      };
+
+      coreutils = { name = "${name}-coreutils"; outPath = bootstrapTools; };
+      gnugrep   = { name = "${name}-gnugrep";   outPath = bootstrapTools; };
+
+      bintools = import ../../build-support/bintools-wrapper {
+        inherit shell;
+        inherit (last) stdenvNoCC;
+
+        nativeTools  = false;
+        nativeLibc   = false;
+        inherit buildPackages coreutils gnugrep;
+        libc         = last.pkgs.darwin.Libsystem;
+        bintools     = { name = "${name}-binutils"; outPath = bootstrapTools; };
+      };
+
+      cc = if isNull last then "/dev/null" else import ../../build-support/cc-wrapper {
+        inherit shell;
+        inherit (last) stdenvNoCC;
+
+        extraPackages = lib.optional (libcxx != null) libcxx;
+
+        nativeTools  = false;
+        nativeLibc   = false;
+        inherit buildPackages coreutils gnugrep bintools;
+        libc         = last.pkgs.darwin.Libsystem;
+        isClang      = true;
+        cc           = { name = "${name}-clang"; outPath = bootstrapTools; };
+      };
+
+      thisStdenv = import ../generic {
+        name = "${name}-stdenv-darwin";
+
+        inherit config shell extraNativeBuildInputs extraBuildInputs;
+        allowedRequisites = if allowedRequisites == null then null else allowedRequisites ++ [
+          cc.expand-response-params cc.bintools
+        ];
+
+        buildPlatform = localSystem;
+        hostPlatform = localSystem;
+        targetPlatform = localSystem;
+
+        inherit cc;
+
+        preHook = lib.optionalString (shell == "${bootstrapTools}/bin/bash") ''
+          # Don't patch #!/interpreter because it leads to retained
+          # dependencies on the bootstrapTools in the final stdenv.
+          dontPatchShebangs=1
+        '' + ''
+          ${commonPreHook}
+          ${extraPreHook}
+        '';
+        initialPath  = [ bootstrapTools ];
+
+        fetchurlBoot = import ../../build-support/fetchurl {
+          inherit lib;
+          stdenvNoCC = stage0.stdenv;
+          curl = bootstrapTools;
+        };
+
+        # The stdenvs themselves don't use mkDerivation, so I need to specify this here
+        __stdenvImpureHostDeps = commonImpureHostDeps;
+        __extraImpureHostDeps = commonImpureHostDeps;
+
+        extraAttrs = {
+          inherit platform;
+          parent = last;
+
+          # This is used all over the place so I figured I'd just leave it here for now
+          secure-format-patch = ./darwin-secure-format.patch;
+        };
+        overrides  = self: super: (overrides self super) // { fetchurl = thisStdenv.fetchurlBoot; };
+      };
+
+    in {
+      inherit config overlays;
+      stdenv = thisStdenv;
+    };
+
+  stage0 = stageFun 0 null {
+    overrides = self: super: with stage0; rec {
+      darwin = super.darwin // {
+        Libsystem = stdenv.mkDerivation {
+          name = "bootstrap-stage0-Libsystem";
+          buildCommand = ''
+            mkdir -p $out
+            ln -s ${bootstrapTools}/lib $out/lib
+            ln -s ${bootstrapTools}/include-Libsystem $out/include
+          '';
+        };
+        dyld = bootstrapTools;
+      };
+
+      llvmPackages_5 = {
+        libcxx = stdenv.mkDerivation {
+          name = "bootstrap-stage0-libcxx";
+          phases = [ "installPhase" "fixupPhase" ];
+          installPhase = ''
+            mkdir -p $out/lib $out/include
+            ln -s ${bootstrapTools}/lib/libc++.dylib $out/lib/libc++.dylib
+            ln -s ${bootstrapTools}/include/c++      $out/include/c++
+          '';
+          linkCxxAbi = false;
+          setupHook = ../../development/compilers/llvm/3.9/libc++/setup-hook.sh;
+        };
+
+        libcxxabi = stdenv.mkDerivation {
+          name = "bootstrap-stage0-libcxxabi";
+          buildCommand = ''
+            mkdir -p $out/lib
+            ln -s ${bootstrapTools}/lib/libc++abi.dylib $out/lib/libc++abi.dylib
+          '';
+        };
+      };
+    };
+
+    extraNativeBuildInputs = [];
+    extraBuildInputs = [];
+    libcxx = null;
+  };
+
+  stage1 = prevStage: let
+    persistent = self: super: with prevStage; {
+      cmake = super.cmake.override {
+        isBootstrap = true;
+        useSharedLibraries = false;
+      };
+
+      python = super.callPackage ../../development/interpreters/python/cpython/2.7/boot.nix {
+        CF = null;  # use CoreFoundation from bootstrap-tools
+        configd = null;
+      };
+      python2 = self.python;
+
+      ninja = super.ninja.override { buildDocs = false; };
+      darwin = super.darwin // { cctools = super.darwin.cctools.override { llvm = null; }; };
+    };
+  in with prevStage; stageFun 1 prevStage {
+    extraPreHook = "export NIX_CFLAGS_COMPILE+=\" -F${bootstrapTools}/Library/Frameworks\"";
+    extraNativeBuildInputs = [];
+    extraBuildInputs = [ ];
+    libcxx = pkgs.libcxx;
+
+    allowedRequisites =
+      [ bootstrapTools ] ++ (with pkgs; [ libcxx libcxxabi ]) ++ [ pkgs.darwin.Libsystem ];
+
+    overrides = persistent;
+  };
+
+  stage2 = prevStage: let
+    persistent = self: super: with prevStage; {
+      inherit
+        zlib patchutils m4 scons flex perl bison unifdef unzip openssl python
+        libxml2 gettext sharutils gmp libarchive ncurses pkg-config libedit groff
+        openssh sqlite sed serf openldap db cyrus-sasl expat apr-util subversion xz
+        findfreetype libssh curl cmake autoconf automake libtool ed cpio coreutils
+        libssh2 nghttp2 libkrb5 python2 ninja;
+
+      darwin = super.darwin // {
+        inherit (darwin)
+          dyld Libsystem xnu configd ICU libdispatch libclosure launchd CF;
+      };
+    };
+  in with prevStage; stageFun 2 prevStage {
+    extraPreHook = ''
+      export PATH_LOCALE=${pkgs.darwin.locale}/share/locale
+    '';
+
+    extraNativeBuildInputs = [ pkgs.xz ];
+    extraBuildInputs = [ pkgs.darwin.CF ];
+    libcxx = pkgs.libcxx;
+
+    allowedRequisites =
+      [ bootstrapTools ] ++
+      (with pkgs; [
+        xz.bin xz.out libcxx libcxxabi zlib libxml2.out curl.out openssl.out libssh2.out
+        nghttp2.lib libkrb5
+      ]) ++
+      (with pkgs.darwin; [ dyld Libsystem CF ICU locale ]);
+
+    overrides = persistent;
+  };
+
+  stage3 = prevStage: let
+    persistent = self: super: with prevStage; {
+      inherit
+        patchutils m4 scons flex perl bison unifdef unzip openssl python
+        gettext sharutils libarchive pkg-config groff bash subversion
+        openssh sqlite sed serf openldap db cyrus-sasl expat apr-util
+        findfreetype libssh curl cmake autoconf automake libtool cpio
+        libssh2 nghttp2 libkrb5 python2 ninja;
+
+      # Avoid pulling in a full python and its extra dependencies for the llvm/clang builds.
+      libxml2 = super.libxml2.override { pythonSupport = false; };
+
+      llvmPackages_5 = super.llvmPackages_5 // (let
+        libraries = super.llvmPackages_5.libraries.extend (_: _: {
+          inherit (llvmPackages_5) libcxx libcxxabi;
+        });
+      in { inherit libraries; } // libraries);
+
+      darwin = super.darwin // {
+        inherit (darwin)
+          dyld Libsystem xnu configd libdispatch libclosure launchd libiconv locale;
+      };
+    };
+  in with prevStage; stageFun 3 prevStage {
+    shell = "${pkgs.bash}/bin/bash";
+
+    # We have a valid shell here (this one has no bootstrap-tools runtime deps) so stageFun
+    # enables patchShebangs above. Unfortunately, patchShebangs ignores our $SHELL setting
+    # and instead goes by $PATH, which happens to contain bootstrapTools. So it goes and
+    # patches our shebangs back to point at bootstrapTools. This makes sure bash comes first.
+    extraNativeBuildInputs = with pkgs; [ xz pkgs.bash ];
+    extraBuildInputs = [ pkgs.darwin.CF ];
+    libcxx = pkgs.libcxx;
+
+    extraPreHook = ''
+      export PATH=${pkgs.bash}/bin:$PATH
+      export PATH_LOCALE=${pkgs.darwin.locale}/share/locale
+    '';
+
+    allowedRequisites =
+      [ bootstrapTools ] ++
+      (with pkgs; [
+        xz.bin xz.out bash libcxx libcxxabi zlib libxml2.out curl.out openssl.out libssh2.out
+        nghttp2.lib libkrb5
+      ]) ++
+      (with pkgs.darwin; [ dyld ICU Libsystem locale ]);
+
+    overrides = persistent;
+  };
+
+  stage4 = prevStage: let
+    persistent = self: super: with prevStage; {
+      inherit
+        gnumake gzip gnused bzip2 gawk ed xz patch bash
+        ncurses libffi zlib gmp pcre gnugrep
+        coreutils findutils diffutils patchutils ninja;
+
+      # Hack to make sure we don't link ncurses in bootstrap tools. The proper
+      # solution is to avoid passing -L/nix-store/...-bootstrap-tools/lib,
+      # quite a sledgehammer just to get the C runtime.
+      gettext = super.gettext.overrideAttrs (drv: {
+        configureFlags = drv.configureFlags ++ [
+          "--disable-curses"
+        ];
+      });
+
+      llvmPackages_5 = super.llvmPackages_5 // (let
+        tools = super.llvmPackages_5.tools.extend (llvmSelf: _: {
+          inherit (llvmPackages_5) llvm clang-unwrapped;
+        });
+        libraries = super.llvmPackages_5.libraries.extend (llvmSelf: _: {
+          inherit (llvmPackages_5) libcxx libcxxabi compiler-rt;
+        });
+      in { inherit tools libraries; } // tools // libraries);
+
+      darwin = super.darwin // rec {
+        inherit (darwin) dyld Libsystem libiconv locale;
+
+        libxml2-nopython = super.libxml2.override { pythonSupport = false; };
+        CF = super.darwin.CF.override {
+          libxml2 = libxml2-nopython;
+          python = prevStage.python;
+        };
+      };
+    };
+  in with prevStage; stageFun 4 prevStage {
+    shell = "${pkgs.bash}/bin/bash";
+    extraNativeBuildInputs = with pkgs; [ xz pkgs.bash ];
+    extraBuildInputs = [ pkgs.darwin.CF ];
+    libcxx = pkgs.libcxx;
+
+    extraPreHook = ''
+      export PATH_LOCALE=${pkgs.darwin.locale}/share/locale
+    '';
+    overrides = persistent;
+  };
+
+  stdenvDarwin = prevStage: let
+    pkgs = prevStage;
+    persistent = self: super: with prevStage; {
+      inherit
+        gnumake gzip gnused bzip2 gawk ed xz patch bash
+        ncurses libffi zlib llvm gmp pcre gnugrep
+        coreutils findutils diffutils patchutils;
+
+      llvmPackages_5 = super.llvmPackages_5 // (let
+        tools = super.llvmPackages_5.tools.extend (_: super: {
+          inherit (llvmPackages_5) llvm clang-unwrapped;
+        });
+        libraries = super.llvmPackages_5.libraries.extend (_: _: {
+          inherit (llvmPackages_5) compiler-rt libcxx libcxxabi;
+        });
+      in { inherit tools libraries; } // tools // libraries);
+
+      # N.B: the important thing here is to ensure that python == python2
+      # == python27 or you get weird issues with inconsistent package sets.
+      # In a particularly subtle bug, I overrode python2 instead of python27
+      # here, and it caused gnome-doc-utils to complain about:
+      # "PyThreadState_Get: no current thread". This is because Python gets
+      # really unhappy if you have Python A which loads a native python lib
+      # which was linked against Python B, which in our case was happening
+      # because we didn't override python "deeply enough". Anyway, this works
+      # and I'm just leaving this blurb here so people realize why it matters
+      python27 = super.python27.override { CF = prevStage.darwin.CF; };
+
+      darwin = super.darwin // {
+        inherit (darwin) dyld ICU Libsystem libiconv;
+      } // lib.optionalAttrs (super.stdenv.targetPlatform == localSystem) {
+        inherit (darwin) binutils binutils-unwrapped cctools;
+      };
+    } // lib.optionalAttrs (super.stdenv.targetPlatform == localSystem) {
+      # Need to get rid of these when cross-compiling.
+      inherit binutils binutils-unwrapped;
+    };
+  in import ../generic rec {
+    name = "stdenv-darwin";
+
+    inherit config;
+    inherit (pkgs.stdenv) fetchurlBoot;
+
+    buildPlatform = localSystem;
+    hostPlatform = localSystem;
+    targetPlatform = localSystem;
+
+    preHook = commonPreHook + ''
+      export NIX_COREFOUNDATION_RPATH=${pkgs.darwin.CF}/Library/Frameworks
+      export PATH_LOCALE=${pkgs.darwin.locale}/share/locale
+    '';
+
+    __stdenvImpureHostDeps = commonImpureHostDeps;
+    __extraImpureHostDeps = commonImpureHostDeps;
+
+    initialPath = import ../common-path.nix { inherit pkgs; };
+    shell       = "${pkgs.bash}/bin/bash";
+
+    cc = pkgs.llvmPackages.libcxxClang.override {
+      cc = pkgs.llvmPackages.clang-unwrapped;
+    };
+
+    extraNativeBuildInputs = [];
+    extraBuildInputs = [ pkgs.darwin.CF ];
+
+    extraAttrs = {
+      inherit platform bootstrapTools;
+      libc         = pkgs.darwin.Libsystem;
+      shellPackage = pkgs.bash;
+
+      # This is used all over the place so I figured I'd just leave it here for now
+      secure-format-patch = ./darwin-secure-format.patch;
+    };
+
+    allowedRequisites = (with pkgs; [
+      xz.out xz.bin libcxx libcxxabi gmp.out gnumake findutils bzip2.out
+      bzip2.bin llvmPackages.llvm llvmPackages.llvm.lib llvmPackages.compiler-rt llvmPackages.compiler-rt.dev
+      zlib.out zlib.dev libffi.out coreutils ed diffutils gnutar
+      gzip ncurses.out ncurses.dev ncurses.man gnused bash gawk
+      gnugrep llvmPackages.clang-unwrapped llvmPackages.clang-unwrapped.lib patch pcre.out gettext
+      binutils.bintools darwin.binutils darwin.binutils.bintools
+      curl.out openssl.out libssh2.out nghttp2.lib libkrb5
+      cc.expand-response-params
+    ]) ++ (with pkgs.darwin; [
+      dyld Libsystem CF cctools ICU libiconv locale libxml2-nopython.out
+    ]);
+
+    overrides = lib.composeExtensions persistent (self: super: {
+      clang = cc;
+      llvmPackages = super.llvmPackages // { clang = cc; };
+      inherit cc;
+
+      darwin = super.darwin // {
+        xnu = super.darwin.xnu.override { python = super.python.override { configd = null; }; };
+      };
+    });
+  };
+
+  stagesDarwin = [
+    ({}: stage0)
+    stage1
+    stage2
+    stage3
+    stage4
+    (prevStage: {
+      inherit config overlays;
+      stdenv = stdenvDarwin prevStage;
+    })
+  ];
+}
diff --git a/nixpkgs/pkgs/stdenv/darwin/make-bootstrap-tools.nix b/nixpkgs/pkgs/stdenv/darwin/make-bootstrap-tools.nix
new file mode 100644
index 000000000000..eee3b1ce0759
--- /dev/null
+++ b/nixpkgs/pkgs/stdenv/darwin/make-bootstrap-tools.nix
@@ -0,0 +1,352 @@
+{ pkgspath ? ../../.., test-pkgspath ? pkgspath, system ? builtins.currentSystem }:
+
+with import pkgspath { inherit system; };
+
+let
+  llvmPackages = llvmPackages_5;
+in rec {
+  coreutils_ = coreutils.override (args: {
+    # We want coreutils without ACL support.
+    aclSupport = false;
+    # Cannot use a single binary build, or it gets dynamically linked against gmp.
+    singleBinary = false;
+  });
+
+  # We want a version of cctools without LLVM, because the LTO support ends up making
+  # the bootstrap tools huge and isn't really necessary for bootstrap
+  cctools_ = darwin.cctools.override { llvm = null; };
+
+  # Avoid debugging larger changes for now.
+  bzip2_ = bzip2.override (args: { linkStatic = true; });
+
+  # Avoid messing with libkrb5 and libnghttp2.
+  curl_ = curl.override (args: { gssSupport = false; http2Support = false; });
+
+  build = stdenv.mkDerivation {
+    name = "stdenv-bootstrap-tools";
+
+    buildInputs = [nukeReferences cpio];
+
+    buildCommand = ''
+      mkdir -p $out/bin $out/lib $out/lib/system
+
+      # We're not going to bundle the actual libSystem.dylib; instead we reconstruct it on
+      # the other side. See the notes in stdenv/darwin/default.nix for more information.
+      # We also need the .o files for various low-level boot stuff.
+      cp -d ${darwin.Libsystem}/lib/*.o $out/lib
+      cp -d ${darwin.Libsystem}/lib/system/*.dylib $out/lib/system
+
+      # Resolv is actually a link to another package, so let's copy it properly
+      cp -L ${darwin.Libsystem}/lib/libresolv.9.dylib $out/lib
+
+      cp -rL ${darwin.Libsystem}/include $out
+      chmod -R u+w $out/include
+      cp -rL ${darwin.ICU}/include*             $out/include
+      cp -rL ${libiconv}/include/*       $out/include
+      cp -rL ${gnugrep.pcre.dev}/include/*   $out/include
+      mv $out/include $out/include-Libsystem
+
+      # Copy coreutils, bash, etc.
+      cp ${coreutils_}/bin/* $out/bin
+      (cd $out/bin && rm vdir dir sha*sum pinky factor pathchk runcon shuf who whoami shred users)
+
+      cp ${bash}/bin/bash $out/bin
+      cp ${findutils}/bin/find $out/bin
+      cp ${findutils}/bin/xargs $out/bin
+      cp -d ${diffutils}/bin/* $out/bin
+      cp -d ${gnused}/bin/* $out/bin
+      cp -d ${gnugrep}/bin/grep $out/bin
+      cp ${gawk}/bin/gawk $out/bin
+      cp -d ${gawk}/bin/awk $out/bin
+      cp ${gnutar}/bin/tar $out/bin
+      cp ${gzip}/bin/gzip $out/bin
+      cp ${bzip2_.bin}/bin/bzip2 $out/bin
+      cp -d ${gnumake}/bin/* $out/bin
+      cp -d ${patch}/bin/* $out/bin
+      cp -d ${xz.bin}/bin/xz $out/bin
+
+      # This used to be in-nixpkgs, but now is in the bundle
+      # because I can't be bothered to make it partially static
+      cp ${curl_.bin}/bin/curl $out/bin
+      cp -d ${curl_.out}/lib/libcurl*.dylib $out/lib
+      cp -d ${libssh2.out}/lib/libssh*.dylib $out/lib
+      cp -d ${openssl.out}/lib/*.dylib $out/lib
+
+      cp -d ${gnugrep.pcre.out}/lib/libpcre*.dylib $out/lib
+      cp -d ${lib.getLib libiconv}/lib/lib*.dylib $out/lib
+      cp -d ${gettext}/lib/libintl*.dylib $out/lib
+      chmod +x $out/lib/libintl*.dylib
+      cp -d ${ncurses.out}/lib/libncurses*.dylib $out/lib
+      cp -d ${libxml2.out}/lib/libxml2*.dylib $out/lib
+
+      # Copy what we need of clang
+      cp -d ${llvmPackages.clang-unwrapped}/bin/clang $out/bin
+      cp -d ${llvmPackages.clang-unwrapped}/bin/clang++ $out/bin
+      cp -d ${llvmPackages.clang-unwrapped}/bin/clang-[0-9].[0-9] $out/bin
+
+      cp -rL ${llvmPackages.clang-unwrapped}/lib/clang $out/lib
+
+      cp -d ${llvmPackages.libcxx}/lib/libc++*.dylib $out/lib
+      cp -d ${llvmPackages.libcxxabi}/lib/libc++abi*.dylib $out/lib
+
+      mkdir $out/include
+      cp -rd ${llvmPackages.libcxx}/include/c++     $out/include
+
+      cp -d ${darwin.ICU}/lib/libicu*.dylib $out/lib
+      cp -d ${zlib.out}/lib/libz.*       $out/lib
+      cp -d ${gmpxx.out}/lib/libgmp*.*   $out/lib
+      cp -d ${xz.out}/lib/liblzma*.*     $out/lib
+
+      # Copy binutils.
+      for i in as ld ar ranlib nm strip otool install_name_tool dsymutil lipo; do
+        cp ${cctools_}/bin/$i $out/bin
+      done
+
+      cp -rd ${pkgs.darwin.CF}/Library $out
+
+      chmod -R u+w $out
+
+      nuke-refs $out/bin/*
+
+      rpathify() {
+        local libs=$(${cctools_}/bin/otool -L "$1" | tail -n +2 | grep -o "$NIX_STORE.*-\S*") || true
+        for lib in $libs; do
+          ${cctools_}/bin/install_name_tool -change $lib "@rpath/$(basename $lib)" "$1"
+        done
+      }
+
+      # Strip executables even further
+      for i in $out/bin/*; do
+        if test -x $i -a ! -L $i; then
+          chmod +w $i
+          strip $i || true
+        fi
+      done
+
+      for i in $out/bin/* $out/lib/*.dylib $out/lib/clang/*/lib/darwin/*.dylib $out/Library/Frameworks/CoreFoundation.framework/Versions/A/CoreFoundation; do
+        if test -x "$i" -a ! -L "$i"; then
+          echo "Adding rpath to $i"
+          rpathify $i
+        fi
+      done
+
+      nuke-refs $out/lib/*
+      nuke-refs $out/lib/system/*
+      nuke-refs $out/lib/clang/*/lib/darwin/*
+      nuke-refs $out/Library/Frameworks/CoreFoundation.framework/Versions/A/CoreFoundation
+
+      mkdir $out/.pack
+      mv $out/* $out/.pack
+      mv $out/.pack $out/pack
+
+      mkdir $out/on-server
+      cp ${stdenv.shell} $out/on-server/sh
+      cp ${cpio}/bin/cpio $out/on-server
+      cp ${coreutils_}/bin/mkdir $out/on-server
+      cp ${bzip2_.bin}/bin/bzip2 $out/on-server
+
+      chmod u+w $out/on-server/*
+      strip $out/on-server/*
+      nuke-refs $out/on-server/*
+
+      (cd $out/pack && (find | cpio -o -H newc)) | bzip2 > $out/on-server/bootstrap-tools.cpio.bz2
+    '';
+
+    allowedReferences = [];
+
+    meta = {
+      maintainers = [ stdenv.lib.maintainers.copumpkin ];
+    };
+  };
+
+  dist = stdenv.mkDerivation {
+    name = "stdenv-bootstrap-tools";
+
+    buildCommand = ''
+      mkdir -p $out/nix-support
+      echo "file tarball ${build}/on-server/bootstrap-tools.cpio.bz2" >> $out/nix-support/hydra-build-products
+      echo "file sh ${build}/on-server/sh" >> $out/nix-support/hydra-build-products
+      echo "file cpio ${build}/on-server/cpio" >> $out/nix-support/hydra-build-products
+      echo "file mkdir ${build}/on-server/mkdir" >> $out/nix-support/hydra-build-products
+      echo "file bzip2 ${build}/on-server/bzip2" >> $out/nix-support/hydra-build-products
+    '';
+  };
+
+  bootstrapFiles = {
+    sh      = "${build}/on-server/sh";
+    bzip2   = "${build}/on-server/bzip2";
+    mkdir   = "${build}/on-server/mkdir";
+    cpio    = "${build}/on-server/cpio";
+    tarball = "${build}/on-server/bootstrap-tools.cpio.bz2";
+  };
+
+  unpack = stdenv.mkDerivation (bootstrapFiles // {
+    name = "unpack";
+
+    reexportedLibrariesFile =
+      ../../os-specific/darwin/apple-source-releases/Libsystem/reexported_libraries;
+
+    # This is by necessity a near-duplicate of unpack-bootstrap-tools.sh. If we refer to it directly,
+    # we can't make any changes to it due to our testing stdenv depending on it. Think of this as the
+    # unpack-bootstrap-tools.sh for the next round of bootstrap tools.
+    # TODO: think through alternate designs, such as hosting this script as an output of the process.
+    buildCommand = ''
+      # Unpack the bootstrap tools tarball.
+      echo Unpacking the bootstrap tools...
+      $mkdir $out
+      $bzip2 -d < $tarball | (cd $out && $cpio -i)
+
+      # Set the ELF interpreter / RPATH in the bootstrap binaries.
+      echo Patching the tools...
+
+      export PATH=$out/bin
+
+      for i in $out/bin/*; do
+        if ! test -L $i; then
+          echo patching $i
+          install_name_tool -add_rpath $out/lib $i || true
+        fi
+      done
+
+      install_name_tool \
+        -id $out/lib/system/libsystem_c.dylib \
+        $out/lib/system/libsystem_c.dylib
+
+      install_name_tool \
+        -id $out/lib/system/libsystem_kernel.dylib \
+        $out/lib/system/libsystem_kernel.dylib
+
+      # TODO: this logic basically duplicates similar logic in the Libsystem expression. Deduplicate them!
+      libs=$(cat $reexportedLibrariesFile | grep -v '^#')
+
+      for i in $libs; do
+        if [ "$i" != "/usr/lib/system/libsystem_kernel.dylib" ] && [ "$i" != "/usr/lib/system/libsystem_c.dylib" ]; then
+          args="$args -reexport_library $i"
+        fi
+      done
+
+      ld -macosx_version_min 10.7 \
+         -arch x86_64 \
+         -dylib \
+         -o $out/lib/libSystem.B.dylib \
+         -compatibility_version 1.0 \
+         -current_version 1226.10.1 \
+         -reexport_library $out/lib/system/libsystem_c.dylib \
+         -reexport_library $out/lib/system/libsystem_kernel.dylib \
+         $args
+
+      ln -s libSystem.B.dylib $out/lib/libSystem.dylib
+
+      for name in c dbm dl info m mx poll proc pthread rpcsvc util gcc_s.10.4 gcc_s.10.5; do
+        ln -s libSystem.dylib $out/lib/lib$name.dylib
+      done
+
+      ln -s libresolv.9.dylib $out/lib/libresolv.dylib
+
+      for i in $out/lib/*.dylib $out/Library/Frameworks/CoreFoundation.framework/Versions/A/CoreFoundation; do
+        if test ! -L "$i" -a "$i" != "$out/lib/libSystem*.dylib"; then
+          echo "Patching $i"
+
+          id=$(otool -D "$i" | tail -n 1)
+          install_name_tool -id "$(dirname $i)/$(basename $id)" $i
+
+          libs=$(otool -L "$i" | tail -n +2 | grep -v libSystem | cat)
+          if [ -n "$libs" ]; then
+            install_name_tool -add_rpath $out/lib $i
+          fi
+        fi
+      done
+
+      ln -s bash $out/bin/sh
+      ln -s bzip2 $out/bin/bunzip2
+
+      # Provide a gunzip script.
+      cat > $out/bin/gunzip <<EOF
+      #!$out/bin/sh
+      exec $out/bin/gzip -d "\$@"
+      EOF
+      chmod +x $out/bin/gunzip
+
+      # Provide fgrep/egrep.
+      echo "#! $out/bin/sh" > $out/bin/egrep
+      echo "exec $out/bin/grep -E \"\$@\"" >> $out/bin/egrep
+      echo "#! $out/bin/sh" > $out/bin/fgrep
+      echo "exec $out/bin/grep -F \"\$@\"" >> $out/bin/fgrep
+
+      cat >$out/bin/dsymutil << EOF
+      #!$out/bin/sh
+      EOF
+
+      chmod +x $out/bin/egrep $out/bin/fgrep $out/bin/dsymutil
+    '';
+
+    allowedReferences = [ "out" ];
+  });
+
+  test = stdenv.mkDerivation {
+    name = "test";
+
+    realBuilder = "${unpack}/bin/bash";
+
+    buildCommand = ''
+      export PATH=${unpack}/bin
+      ls -l
+      mkdir $out
+      mkdir $out/bin
+      sed --version
+      find --version
+      diff --version
+      patch --version
+      make --version
+      awk --version
+      grep --version
+      clang --version
+      xz --version
+
+      # The grep will return a nonzero exit code if there is no match, and we want to assert that we have
+      # an SSL-capable curl
+      curl --version | grep SSL
+
+      ${build}/on-server/sh -c 'echo Hello World'
+
+      export flags="-idirafter ${unpack}/include-Libsystem --sysroot=${unpack} -L${unpack}/lib"
+
+      export CPP="clang -E $flags"
+      export CC="clang $flags -Wl,-rpath,${unpack}/lib -Wl,-v -Wl,-sdk_version,10.10"
+      export CXX="clang++ $flags --stdlib=libc++ -lc++abi -isystem${unpack}/include/c++/v1 -Wl,-rpath,${unpack}/lib -Wl,-v -Wl,-sdk_version,10.10"
+
+      echo '#include <stdio.h>' >> foo.c
+      echo '#include <float.h>' >> foo.c
+      echo '#include <limits.h>' >> foo.c
+      echo 'int main() { printf("Hello World\n"); return 0; }' >> foo.c
+      $CC -o $out/bin/foo foo.c
+      $out/bin/foo
+
+      echo '#include <CoreFoundation/CoreFoundation.h>' >> bar.c
+      echo 'int main() { CFShow(CFSTR("Hullo")); return 0; }' >> bar.c
+      $CC -F${unpack}/Library/Frameworks -framework CoreFoundation -o $out/bin/bar bar.c
+      $out/bin/bar
+
+      echo '#include <iostream>' >> bar.cc
+      echo 'int main() { std::cout << "Hello World\n"; }' >> bar.cc
+      $CXX -v -o $out/bin/bar bar.cc
+      $out/bin/bar
+
+      tar xvf ${hello.src}
+      cd hello-*
+      ./configure --prefix=$out
+      make
+      make install
+
+      $out/bin/hello
+    '';
+  };
+
+  # The ultimate test: bootstrap a whole stdenv from the tools specified above and get a package set out of it
+  test-pkgs = import test-pkgspath {
+    inherit system;
+    stdenvStages = args: let
+        args' = args // { inherit bootstrapFiles; };
+      in (import (test-pkgspath + "/pkgs/stdenv/darwin") args').stagesDarwin;
+  };
+}
diff --git a/nixpkgs/pkgs/stdenv/darwin/portable-libsystem.sh b/nixpkgs/pkgs/stdenv/darwin/portable-libsystem.sh
new file mode 100644
index 000000000000..f50ccc8d32ee
--- /dev/null
+++ b/nixpkgs/pkgs/stdenv/darwin/portable-libsystem.sh
@@ -0,0 +1,12 @@
+# Make /nix/store/...-libSystem “portable” for static built binaries.
+# This just rewrites everything in $1/bin to use the
+# /usr/lib/libSystem.B.dylib that is provided on every macOS system.
+
+fixupOutputHooks+=('fixLibsystemRefs $prefix')
+
+fixLibsystemRefs() {
+  if [ -d "$1/bin" ]; then
+      find "$1/bin" -exec \
+        install_name_tool -change @libsystem@ /usr/lib/libSystem.B.dylib {} \;
+  fi
+}
diff --git a/nixpkgs/pkgs/stdenv/darwin/unpack-bootstrap-tools.sh b/nixpkgs/pkgs/stdenv/darwin/unpack-bootstrap-tools.sh
new file mode 100644
index 000000000000..0da80ec5ce56
--- /dev/null
+++ b/nixpkgs/pkgs/stdenv/darwin/unpack-bootstrap-tools.sh
@@ -0,0 +1,89 @@
+set -e
+
+# Unpack the bootstrap tools tarball.
+echo Unpacking the bootstrap tools...
+$mkdir $out
+$bzip2 -d < $tarball | (cd $out && $cpio -i)
+
+# Set the ELF interpreter / RPATH in the bootstrap binaries.
+echo Patching the tools...
+
+export PATH=$out/bin
+
+for i in $out/bin/*; do
+  if ! test -L $i; then
+    echo patching $i
+    install_name_tool -add_rpath $out/lib $i || true
+  fi
+done
+
+install_name_tool \
+  -id $out/lib/system/libsystem_c.dylib \
+  $out/lib/system/libsystem_c.dylib
+
+install_name_tool \
+  -id $out/lib/system/libsystem_kernel.dylib \
+  $out/lib/system/libsystem_kernel.dylib
+
+# TODO: this logic basically duplicates similar logic in the Libsystem expression. Deduplicate them!
+libs=$(cat $reexportedLibrariesFile | grep -v '^#')
+
+for i in $libs; do
+  if [ "$i" != "/usr/lib/system/libsystem_kernel.dylib" ] && [ "$i" != "/usr/lib/system/libsystem_c.dylib" ]; then
+    args="$args -reexport_library $i"
+  fi
+done
+
+ld -macosx_version_min 10.7 \
+   -arch x86_64 \
+   -dylib \
+   -o $out/lib/libSystem.B.dylib \
+   -compatibility_version 1.0 \
+   -current_version 1226.10.1 \
+   -reexport_library $out/lib/system/libsystem_c.dylib \
+   -reexport_library $out/lib/system/libsystem_kernel.dylib \
+   $args
+
+ln -s libSystem.B.dylib $out/lib/libSystem.dylib
+
+for name in c dbm dl info m mx poll proc pthread rpcsvc util gcc_s.10.4 gcc_s.10.5; do
+  ln -s libSystem.dylib $out/lib/lib$name.dylib
+done
+
+ln -s libresolv.9.dylib $out/lib/libresolv.dylib
+
+for i in $out/lib/*.dylib $out/Library/Frameworks/CoreFoundation.framework/Versions/A/CoreFoundation; do
+  if test ! -L "$i" -a "$i" != "$out/lib/libSystem*.dylib"; then
+    echo "Patching $i"
+
+    id=$(otool -D "$i" | tail -n 1)
+    install_name_tool -id "$(dirname $i)/$(basename $id)" $i
+
+    libs=$(otool -L "$i" | tail -n +2 | grep -v libSystem | cat)
+    if [ -n "$libs" ]; then
+      install_name_tool -add_rpath $out/lib $i
+    fi
+  fi
+done
+
+ln -s bash $out/bin/sh
+ln -s bzip2 $out/bin/bunzip2
+
+# Provide a gunzip script.
+cat > $out/bin/gunzip <<EOF
+#!$out/bin/sh
+exec $out/bin/gzip -d "\$@"
+EOF
+chmod +x $out/bin/gunzip
+
+# Provide fgrep/egrep.
+echo "#! $out/bin/sh" > $out/bin/egrep
+echo "exec $out/bin/grep -E \"\$@\"" >> $out/bin/egrep
+echo "#! $out/bin/sh" > $out/bin/fgrep
+echo "exec $out/bin/grep -F \"\$@\"" >> $out/bin/fgrep
+
+cat >$out/bin/dsymutil << EOF
+#!$out/bin/sh
+EOF
+
+chmod +x $out/bin/egrep $out/bin/fgrep $out/bin/dsymutil