macOS 10.11+ now using mksh by default

To: pkgsrc-users%pkgsrc.org@localhost
Subject: macOS 10.11+ now using mksh by default
From: Jonathan Perkin <jperkin%joyent.com@localhost>
Date: Mon, 6 Jul 2020 12:12:54 +0100

Hey macOS users.

With this commit, El Capitan and newer now build shells/mksh as part
of bootstrap, and use it as the primary shell across pkgsrc.  This
should help avoid issues with SIP unsetting important variables like
LD_LIBRARY_PATH and breaking builds.

It may also speed up package builds a little, assuming you were
previously using the default system bash as the primary shell.

I've tested this in bulk builds which look fine, but please let me
know if you run into any problems with this and I'll look into it as
soon as possible.

I'll be pushing an update for my Mojave-based binary package set over
the next few days to include this, so that will also increase the
wider testing.

Thanks!

-- 
Jonathan Perkin  -  Joyent, Inc.  -  www.joyent.com

--- Begin Message ---

To: pkgsrc-changes%NetBSD.org@localhost
Subject: CVS commit: pkgsrc/bootstrap
From: "Jonathan Perkin" <jperkin%netbsd.org@localhost>
Date: Mon, 6 Jul 2020 10:43:47 +0000

Module Name:	pkgsrc
Committed By:	jperkin
Date:		Mon Jul  6 10:43:47 UTC 2020

Modified Files:
	pkgsrc/bootstrap: bootstrap

Log Message:
boostrap: Enable mksh by default on macOS 10.11+.

El Capitan (10.11) introduced System Integrity Protection (SIP), and one of
the side effects of this protection is that system shells (i.e. /bin/*sh)
unset any variables that may affect the security of the system.  This causes
problems with packages that rely on e.g. LD_LIBRARY_PATH.

Using a shell outside of the system paths allows us to work around this, at
least for now.

Tested in bulk builds on macOS Catalina, though with SIP disabled (as there
is no way to run sandboxed builds with SIP enabled).


To generate a diff of this commit:
cvs rdiff -u -r1.285 -r1.286 pkgsrc/bootstrap/bootstrap

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.

Modified files:

Index: pkgsrc/bootstrap/bootstrap
diff -u pkgsrc/bootstrap/bootstrap:1.285 pkgsrc/bootstrap/bootstrap:1.286
--- pkgsrc/bootstrap/bootstrap:1.285	Mon Jul  6 10:25:29 2020
+++ pkgsrc/bootstrap/bootstrap	Mon Jul  6 10:43:47 2020
@@ -1,6 +1,6 @@
 #! /bin/sh
 
-# $NetBSD: bootstrap,v 1.285 2020/07/06 10:25:29 jperkin Exp $
+# $NetBSD: bootstrap,v 1.286 2020/07/06 10:43:47 jperkin Exp $
 #
 # Copyright (c) 2001-2011 Alistair Crooks <agc%NetBSD.org@localhost>
 # All rights reserved.
@@ -589,6 +589,15 @@ Darwin)
 		need_sed=yes
 	fi
 
+	# Avoid system shells on macOS versions that enable System Integrity
+	# Protection (SIP) as it affects packages that rely on variables such
+	# as LD_LIBRARY_PATH.  SIP unsets any variables that may affect
+	# security when using system binaries, i.e. /bin/*sh, but using a
+	# non-system shell is unaffected, at least for now.
+	if [ $macos_version -ge 1011 ]; then
+		need_mksh=yes
+	fi
+
 	case "$macos_version" in
 	100[7-9])
 		packagemaker=/Applications/PackageMaker.app/Contents/MacOS/PackageMaker

--- End Message ---

Follow-Ups:
- Re: macOS 10.11+ now using mksh by default
  - From: Greg Troxel

Prev by Date: Re: xentools41[1,3]
Next by Date: Re: xentools41[1,3]
Previous by Thread: Linking SDL2 fails on linux sparc
Next by Thread: Re: macOS 10.11+ now using mksh by default
Indexes:

Home | Main Index | Thread Index | Old Index