exarkun/gist:5c6fef64cabdcd2c68e04b0452882118

## gistfile1.txt
{nix-thunk}: self: super: let

  # Customize the Botan2 build to be minimal and to compile successfully when
  # the host platform is Android.
  extraConfigureFlags = { stdenv, botan2 }:
    (botan2.extraConfigureFlags or "") + (
      builtins.concatStringsSep " " ([
        # enable debug symbols and disables optimizations.
        "--debug-mode"

        # turn off everything except core modules to save build time and
        # dependency complexity.
        "--minimized-build"

        # turn zfec back on, as that's what we actually need, and the ffi
        # interface to it.
        "--enable-modules=zfec,ffi"
      ] ++ (
        if stdenv.hostPlatform.isAndroid then [
          # convince it to build for an Android system.
          "--cpu=arm${
            if stdenv.hostPlatform.isAarch32
            then "32"
            else "64"
          }"
          "--os=android"
        ] else []
      )));
  customizedBotan2 = { stdenv, botan2, python3 }:
    (botan2.override (old: {
      # Customize the Botan2 build to our particular needs (strip away pieces
      # we don't need, perhaps fix the compiler flags for our platform).
      extraConfigureFlags = extraConfigureFlags { inherit stdenv botan2; };

      # Fortunately we don't need SSL from Botan so we can just turn this off.
      # In addition to removing the nixpkgs-visible dependency on OpenSSL,
      # passing null here should cause the expression we're overriding to pass
      # the necessary flags to disable OpenSSL in the build (so we don't need
      # to pass those flags ourselves below).
      openssl = null;

      # Botan only depends on Boost for some TLS-related functionality that we
      # don't use.  Boost is an expensive build and has some issues
      # cross-compiling to Android.  We can remove the Boost dependency
      # (disabling all of the Botan functionality that depends on it) by not
      # supplying a Boost derivation at all.
      boost = null;

      # Keep a native Python out of the derivation's buildInputs.  It's a
      # build-time dependency.  We'll add it as such below.
      python3 = null;

    })).overrideAttrs ({ nativeBuildInputs ? [], meta ? {}, ... }: {
      # Supply the source version we want to use.
      src = nix-thunk.thunkSource ./dep/botan;
      # The derivation includes a sed expression to adjust some C++ compiler
      # flags but they changes are not appropriate for our version of the
      # source.  Disable that change.
      postPatch = null;

      nativeBuildInputs = nativeBuildInputs ++ [
        # Also make sure we use Python 3 (from the *build system* package set:
        # it is a build-time dependency) as that's what's required by the
        # newer version of Botan's build system.  The correct Python 3 ought
        # to have been passed in to us.
        python3
      ];

      meta =
        meta // {
          # The derivation declares its supported platforms and they don't
          # include the ones we need for Android.  Adjust that declaration so
          # that it does.
          platforms = meta.platforms ++ ["aarch64-linux" "armv7a-linux"];
        };
    });

in rec {
  botan2 =
    let
      nixpkgs-new = import (nix-thunk.thunkSource ./dep/nixpkgs-22.11) {
        system = "x86_64-linux";
      };
      pkgs = nixpkgs-new.pkgsCross.aarch64-android-prebuilt;
    in
      pkgs.callPackage customizedBotan2 { };

  # For whatever reason, it seems callCabal2nix for tahoe-chk wants to use the
  # botan package rather than botan2.  We could override the pkgconfigDepends
  # of the resulting package if we needed both, but this is easier.
  botan = self.botan2;

  # Bash doesn't build against Bionic because of stuff that Bionic does with
  # Fortify.  However, we can disable Fortify in Bash on Android which seems
  # to resolve the issue.
  bash =
    if self.stdenv.hostPlatform.isAndroid
    then
      super.bash.overrideAttrs (old: {
        hardeningDisable = ["fortify"];
      })
    else super.bash;
}
	{nix-thunk}: self: super: let

	# Customize the Botan2 build to be minimal and to compile successfully when
	# the host platform is Android.
	extraConfigureFlags = { stdenv, botan2 }:
	(botan2.extraConfigureFlags or "") + (
	builtins.concatStringsSep " " ([
	# enable debug symbols and disables optimizations.
	"--debug-mode"

	# turn off everything except core modules to save build time and
	# dependency complexity.
	"--minimized-build"

	# turn zfec back on, as that's what we actually need, and the ffi
	# interface to it.
	"--enable-modules=zfec,ffi"
	] ++ (
	if stdenv.hostPlatform.isAndroid then [
	# convince it to build for an Android system.
	"--cpu=arm${
	if stdenv.hostPlatform.isAarch32
	then "32"
	else "64"
	}"
	"--os=android"
	] else []
	)));
	customizedBotan2 = { stdenv, botan2, python3 }:
	(botan2.override (old: {
	# Customize the Botan2 build to our particular needs (strip away pieces
	# we don't need, perhaps fix the compiler flags for our platform).
	extraConfigureFlags = extraConfigureFlags { inherit stdenv botan2; };

	# Fortunately we don't need SSL from Botan so we can just turn this off.
	# In addition to removing the nixpkgs-visible dependency on OpenSSL,
	# passing null here should cause the expression we're overriding to pass
	# the necessary flags to disable OpenSSL in the build (so we don't need
	# to pass those flags ourselves below).
	openssl = null;

	# Botan only depends on Boost for some TLS-related functionality that we
	# don't use. Boost is an expensive build and has some issues
	# cross-compiling to Android. We can remove the Boost dependency
	# (disabling all of the Botan functionality that depends on it) by not
	# supplying a Boost derivation at all.
	boost = null;

	# Keep a native Python out of the derivation's buildInputs. It's a
	# build-time dependency. We'll add it as such below.
	python3 = null;

	})).overrideAttrs ({ nativeBuildInputs ? [], meta ? {}, ... }: {
	# Supply the source version we want to use.
	src = nix-thunk.thunkSource ./dep/botan;
	# The derivation includes a sed expression to adjust some C++ compiler
	# flags but they changes are not appropriate for our version of the
	# source. Disable that change.
	postPatch = null;

	nativeBuildInputs = nativeBuildInputs ++ [
	# Also make sure we use Python 3 (from the build system package set:
	# it is a build-time dependency) as that's what's required by the
	# newer version of Botan's build system. The correct Python 3 ought
	# to have been passed in to us.
	python3
	];

	meta =
	meta // {
	# The derivation declares its supported platforms and they don't
	# include the ones we need for Android. Adjust that declaration so
	# that it does.
	platforms = meta.platforms ++ ["aarch64-linux" "armv7a-linux"];
	};
	});

	in rec {
	botan2 =
	let
	nixpkgs-new = import (nix-thunk.thunkSource ./dep/nixpkgs-22.11) {
	system = "x86_64-linux";
	};
	pkgs = nixpkgs-new.pkgsCross.aarch64-android-prebuilt;
	in
	pkgs.callPackage customizedBotan2 { };

	# For whatever reason, it seems callCabal2nix for tahoe-chk wants to use the
	# botan package rather than botan2. We could override the pkgconfigDepends
	# of the resulting package if we needed both, but this is easier.
	botan = self.botan2;

	# Bash doesn't build against Bionic because of stuff that Bionic does with
	# Fortify. However, we can disable Fortify in Bash on Android which seems
	# to resolve the issue.
	bash =
	if self.stdenv.hostPlatform.isAndroid
	then
	super.bash.overrideAttrs (old: {
	hardeningDisable = ["fortify"];
	})
	else super.bash;
	}