Haskell Foundation DevOps Weekly Update, 2022-12-21

chreekat · December 21, 2022, 1:41pm

Hello, welcome to week 27!

Like last week, I am working on Mac notarization for GHC. Since it’s
my main focus, I will say a few more words about it.

Apple “code signing” and “notarization” are malware-prevention systems built
into macOS. They require developers to preprocess apps in a way that macOS can
verify. My task is to implement those processes for GHC, test them, automate the
process and tests, and add it all to CI. I also want to ensure that notarized
versions of GHC can be installed with Stack and GHCUp.

Right now, the “GHC official bindist” install script (and GHCUp) uses a hacky
workaround that bypasses the code signing and notarization requirements. (I’m
not sure what Stack does here! Does Stack even work on modern macOS, other than
via GHCUp’s “unofficial binaries”?) I want to make those workarounds go away so
that we don’t have any more trouble with Mac than necessary.

Other minor things I finished in the last week:

Bought a Mac Mini to enable the notarization work
Used my shiny new Mac to begin investigating how macOS behaves regarding code
signing and notarization
Wrote a script to remove hundreds of spammy snippets on GHC GitLab
Did some git bookkeeping for the gitlab server + bots
Tried fixing my full-text search database, a tool I use for investigating CI
errors
Continued observing CI and raising issues

See ya next week!

romes · December 22, 2022, 7:39am

Thanks for the explanation!

mpickering · December 22, 2022, 8:08am

Thanks Bryan, this kind of change should be invisible to users but really important behind the scenes. Really happy to see you take this up.

hasufell · December 22, 2022, 12:36pm

The only existing stack M1 binaries are unofficially built by GHCup devs.

I’m not sure how stack’s GHC installation works on M1.

github.com

commercialhaskell/stack/blob/2077c87af5660c78f1ecf1bd8d84de740a5e4793/src/Stack/Setup.hs#L1714

    
      
              let ghcConfigureEnv =
                    fromMaybe Map.empty mGccEnv `Map.union` gdiConfigureEnv downloadInfo
          
          
    logSticky "Configuring GHC ..."
              runStep "configuring" dir
                  ghcConfigureEnv
                  (toFilePath $ dir </> relFileConfigure)
                  (("--prefix=" ++ toFilePath destDir) : map T.unpack (gdiConfigureOpts downloadInfo))
          
          
    logSticky "Installing GHC ..."
              runStep "installing" dir mempty makeTool ["install"]
          
          
    logStickyDone $ "Installed GHC."
              logDebug $ "GHC installed to " <> fromString (toFilePath destDir)
          
          
-- | Check if given processes appear to be present, throwing an exception if
          -- missing.
          checkDependencies :: CheckDependency env a -> RIO env a
          checkDependencies (CheckDependency f) = f >>= either (throwIO . MissingDependencies) pure
          
          
checkDependency :: HasProcessContext env => String -> CheckDependency env String

At least I can’t see any xattr steps there. Are they still necessary? Who knows.

chreekat · December 22, 2022, 12:46pm

I also had a look at the Stack code (no “xattr” anywhere) and the issues pertaining to macOS (long list is long) and decided this is probably an opportunity to push things forward a bit.

Edit to reiterate that I think everyone should use GHCUp, anyway.

hasufell · December 22, 2022, 12:49pm

I’ve proposed: Can stack utilize ghcup? · Issue #719 · haskell/ghcup-hs · GitHub