Skip to content

Instantly share code, notes, and snippets.

Created February 22, 2023 13:32
Show Gist options
  • Save exarkun/5c6fef64cabdcd2c68e04b0452882118 to your computer and use it in GitHub Desktop.
Save exarkun/5c6fef64cabdcd2c68e04b0452882118 to your computer and use it in GitHub Desktop.
{nix-thunk}: self: super: let
# Customize the Botan2 build to be minimal and to compile successfully when
# the host platform is Android.
extraConfigureFlags = { stdenv, botan2 }:
(botan2.extraConfigureFlags or "") + (
builtins.concatStringsSep " " ([
# enable debug symbols and disables optimizations.
# turn off everything except core modules to save build time and
# dependency complexity.
# turn zfec back on, as that's what we actually need, and the ffi
# interface to it.
] ++ (
if stdenv.hostPlatform.isAndroid then [
# convince it to build for an Android system.
if stdenv.hostPlatform.isAarch32
then "32"
else "64"
] else []
customizedBotan2 = { stdenv, botan2, python3 }:
(botan2.override (old: {
# Customize the Botan2 build to our particular needs (strip away pieces
# we don't need, perhaps fix the compiler flags for our platform).
extraConfigureFlags = extraConfigureFlags { inherit stdenv botan2; };
# Fortunately we don't need SSL from Botan so we can just turn this off.
# In addition to removing the nixpkgs-visible dependency on OpenSSL,
# passing null here should cause the expression we're overriding to pass
# the necessary flags to disable OpenSSL in the build (so we don't need
# to pass those flags ourselves below).
openssl = null;
# Botan only depends on Boost for some TLS-related functionality that we
# don't use. Boost is an expensive build and has some issues
# cross-compiling to Android. We can remove the Boost dependency
# (disabling all of the Botan functionality that depends on it) by not
# supplying a Boost derivation at all.
boost = null;
# Keep a native Python out of the derivation's buildInputs. It's a
# build-time dependency. We'll add it as such below.
python3 = null;
})).overrideAttrs ({ nativeBuildInputs ? [], meta ? {}, ... }: {
# Supply the source version we want to use.
src = nix-thunk.thunkSource ./dep/botan;
# The derivation includes a sed expression to adjust some C++ compiler
# flags but they changes are not appropriate for our version of the
# source. Disable that change.
postPatch = null;
nativeBuildInputs = nativeBuildInputs ++ [
# Also make sure we use Python 3 (from the *build system* package set:
# it is a build-time dependency) as that's what's required by the
# newer version of Botan's build system. The correct Python 3 ought
# to have been passed in to us.
meta =
meta // {
# The derivation declares its supported platforms and they don't
# include the ones we need for Android. Adjust that declaration so
# that it does.
platforms = meta.platforms ++ ["aarch64-linux" "armv7a-linux"];
in rec {
botan2 =
nixpkgs-new = import (nix-thunk.thunkSource ./dep/nixpkgs-22.11) {
system = "x86_64-linux";
pkgs = nixpkgs-new.pkgsCross.aarch64-android-prebuilt;
pkgs.callPackage customizedBotan2 { };
# For whatever reason, it seems callCabal2nix for tahoe-chk wants to use the
# botan package rather than botan2. We could override the pkgconfigDepends
# of the resulting package if we needed both, but this is easier.
botan = self.botan2;
# Bash doesn't build against Bionic because of stuff that Bionic does with
# Fortify. However, we can disable Fortify in Bash on Android which seems
# to resolve the issue.
bash =
if self.stdenv.hostPlatform.isAndroid
super.bash.overrideAttrs (old: {
hardeningDisable = ["fortify"];
else super.bash;
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment