diff options
author | Vladimír Čunát <vcunat@gmail.com> | 2017-02-27 17:41:35 +0100 |
---|---|---|
committer | Vladimír Čunát <vcunat@gmail.com> | 2017-02-27 18:23:20 +0100 |
commit | d00c26a59570d7cd93470808cc38def83a523762 (patch) | |
tree | 77c97b6e46b1f8ef1f8ebed733f4c37dac87dee2 /pkgs/tools/networking/unbound | |
parent | 78e4f9d8d7f6124713a7694140e44713fe70e209 (diff) | |
download | nixlib-d00c26a59570d7cd93470808cc38def83a523762.tar nixlib-d00c26a59570d7cd93470808cc38def83a523762.tar.gz nixlib-d00c26a59570d7cd93470808cc38def83a523762.tar.bz2 nixlib-d00c26a59570d7cd93470808cc38def83a523762.tar.lz nixlib-d00c26a59570d7cd93470808cc38def83a523762.tar.xz nixlib-d00c26a59570d7cd93470808cc38def83a523762.tar.zst nixlib-d00c26a59570d7cd93470808cc38def83a523762.zip |
unbound: lighten direct security deps of libunbound
Unfortunately, it seems easiest to build all twice. Debian testing does this in a very similar way. Tested briefly some individual queries and resperf :-)
Diffstat (limited to 'pkgs/tools/networking/unbound')
-rw-r--r-- | pkgs/tools/networking/unbound/default.nix | 19 |
1 files changed, 14 insertions, 5 deletions
diff --git a/pkgs/tools/networking/unbound/default.nix b/pkgs/tools/networking/unbound/default.nix index 83d3d88729df..f32a90a871ae 100644 --- a/pkgs/tools/networking/unbound/default.nix +++ b/pkgs/tools/networking/unbound/default.nix @@ -1,4 +1,4 @@ -{ stdenv, fetchurl, openssl, expat, libevent }: +{ stdenv, fetchurl, openssl, nettle, expat, libevent }: stdenv.mkDerivation rec { name = "unbound-${version}"; @@ -11,7 +11,7 @@ stdenv.mkDerivation rec { outputs = [ "out" "lib" "man" ]; # "dev" would only split ~20 kB - buildInputs = [ openssl expat libevent ]; + buildInputs = [ openssl nettle expat libevent ]; configureFlags = [ "--with-ssl=${openssl.dev}" @@ -26,11 +26,20 @@ stdenv.mkDerivation rec { installFlags = [ "configfile=\${out}/etc/unbound/unbound.conf" ]; - # get rid of runtime dependencies on $dev outputs - postInstall = ''substituteInPlace "$lib/lib/libunbound.la" '' + preFixup = + # Build libunbound again, but only against nettle instead of openssl. + # This avoids gnutls.out -> unbound.lib -> openssl.out. + '' + configureFlags="$configureFlags --with-nettle=${nettle.dev} --with-libunbound-only" + configurePhase + buildPhase + installPhase + '' + # get rid of runtime dependencies on $dev outputs + + ''substituteInPlace "$lib/lib/libunbound.la" '' + stdenv.lib.concatMapStrings (pkg: " --replace '-L${pkg.dev}/lib' '-L${pkg.out}/lib' ") - [ openssl expat libevent ]; + buildInputs; meta = with stdenv.lib; { description = "Validating, recursive, and caching DNS resolver"; |