1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
|
{
lib,
stdenv,
fetchurl,
buildPackages,
libiconv,
perl,
xz,
binlore,
gmpSupport ? true,
gmp,
aclSupport ? lib.meta.availableOn stdenv.hostPlatform acl,
acl,
attrSupport ? lib.meta.availableOn stdenv.hostPlatform attr,
attr,
selinuxSupport ? false,
libselinux,
libsepol,
# No openssl in default version, so openssl-induced rebuilds aren't too big.
# It makes *sum functions significantly faster.
minimal ? true,
withOpenssl ? !minimal,
openssl,
withPrefix ? false,
singleBinary ? "symlinks", # you can also pass "shebangs" or false
}:
# Note: this package is used for bootstrapping fetchurl, and thus cannot use
# fetchpatch! All mutable patches (generated by GitHub or cgit) that are needed
# here should be included directly in Nixpkgs as files.
assert aclSupport -> acl != null;
assert selinuxSupport -> libselinux != null && libsepol != null;
let
inherit (lib)
concatStringsSep
isString
optional
optionalAttrs
optionals
optionalString
;
isCross = (stdenv.hostPlatform != stdenv.buildPlatform);
in
stdenv.mkDerivation (finalAttrs: {
pname = "coreutils" + (optionalString (!minimal) "-full");
version = "9.11";
src = fetchurl {
url = "mirror://gnu/coreutils/coreutils-${finalAttrs.version}.tar.xz";
hash = "sha256-OUAk7aCllVIXztqc0SAeZdyPo6opwpURNaSVIdV8PMM=";
};
postPatch = ''
# The test tends to fail on btrfs, f2fs and maybe other unusual filesystems.
sed '2i echo Skipping dd sparse test && exit 77' -i ./tests/dd/sparse.sh
sed '2i echo Skipping du threshold test && exit 77' -i ./tests/du/threshold.sh
sed '2i echo Skipping cp reflink-auto test && exit 77' -i ./tests/cp/reflink-auto.sh
sed '2i echo Skipping cp sparse test && exit 77' -i ./tests/cp/sparse.sh
sed '2i echo Skipping env test && exit 77' -i ./tests/env/env.sh
sed '2i echo Skipping rm deep-2 test && exit 77' -i ./tests/rm/deep-2.sh
sed '2i echo Skipping du long-from-unreadable test && exit 77' -i ./tests/du/long-from-unreadable.sh
# The test tends to fail on cephfs
sed '2i echo Skipping df total-verify test && exit 77' -i ./tests/df/total-verify.sh
# Some target platforms, especially when building inside a container have
# issues with the inotify test.
sed '2i echo Skipping tail inotify dir recreate test && exit 77' -i ./tests/tail/inotify-dir-recreate.sh
# sandbox does not allow setgid
sed '2i echo Skipping chmod setgid test && exit 77' -i ./tests/chmod/setgid.sh
substituteInPlace ./tests/install/install-C.sh \
--replace 'mode3=2755' 'mode3=1755'
# Fails on systems with a rootfs. Looks like a bug in the test, see
# https://lists.gnu.org/archive/html/bug-coreutils/2019-12/msg00000.html
sed '2i print "Skipping df skip-rootfs test"; exit 77' -i ./tests/df/skip-rootfs.sh
# these tests fail in the unprivileged nix sandbox (without nix-daemon) as we break posix assumptions
for f in ./tests/chgrp/{basic.sh,recurse.sh,default-no-deref.sh,no-x.sh,posix-H.sh}; do
sed '2i echo Skipping chgrp && exit 77' -i "$f"
done
for f in gnulib-tests/{test-chown.c,test-fchownat.c,test-lchown.c}; do
echo "int main() { return 77; }" > "$f"
done
# We don't have localtime in the sandbox
for f in gnulib-tests/{test-localtime_r.c,test-localtime_r-mt.c}; do
echo "int main() { return 77; }" > "$f"
done
# These tests sometimes fail on ZFS-backed NFS filesystems
sed '2i echo "Skipping test: fails on zfs " && exit 77' -i gnulib-tests/test-file-has-acl-1.sh
sed '2i echo "Skipping test: fails on zfs " && exit 77' -i gnulib-tests/test-set-mode-acl-1.sh
sed '2i echo "Skipping test: ls/removed-directory" && exit 77' -i ./tests/ls/removed-directory.sh
# intermittent failures on builders, unknown reason
sed '2i echo Skipping du basic test && exit 77' -i ./tests/du/basic.sh
# flaky on some filesystems due to non-deterministic disk usage
sed '2i echo Skipping du deref test && exit 77' -i ./tests/du/deref.sh
sed '2i echo Skipping du inacc-dir test && exit 77' -i ./tests/du/inacc-dir.sh
# fails when syscalls related to acl not being available, e.g. in sandboxed environment
sed '2i echo Skipping ls -al with acl test && exit 77' -i ./tests/ls/acl.sh
''
+ (optionalString (stdenv.hostPlatform.libc == "musl") (
concatStringsSep "\n" [
''
echo "int main() { return 77; }" > gnulib-tests/test-parse-datetime.c
echo "int main() { return 77; }" > gnulib-tests/test-getlogin.c
''
]
))
+ (optionalString stdenv.hostPlatform.isAarch64 ''
# Sometimes fails: https://github.com/NixOS/nixpkgs/pull/143097#issuecomment-954462584
sed '2i echo Skipping cut huge range test && exit 77' -i ./tests/cut/cut-huge-range.sh
'')
+ (optionalString stdenv.hostPlatform.isPower64
# test command fails to parse long fraction part on ppc64
# When fraction parsing is fixed, still wrong output due to fraction length mismatch
# https://debbugs.gnu.org/cgi/bugreport.cgi?bug=78985
''
sed '2i echo Skipping float sort-ing test && exit 77' -i ./tests/sort/sort-float.sh
''
);
outputs = [
"out"
"info"
];
separateDebugInfo = true;
nativeBuildInputs = [
perl
xz.bin
];
buildInputs =
[ ]
++ optional aclSupport acl
++ optional attrSupport attr
++ optional gmpSupport gmp
++ optional withOpenssl openssl
++ optionals selinuxSupport [
libselinux
libsepol
]
# TODO(@Ericson2314): Investigate whether Darwin could benefit too
++ optional (isCross && stdenv.hostPlatform.libc != "glibc") libiconv;
hardeningDisable = [ "trivialautovarinit" ];
configureFlags = [
"--with-packager=https://nixos.org"
"--with-selinux"
"--enable-install-program=kill,uptime"
]
++ optional (singleBinary != false) (
"--enable-single-binary" + optionalString (isString singleBinary) "=${singleBinary}"
)
++ optional withOpenssl "--with-openssl"
++ optional stdenv.hostPlatform.isSunOS "ac_cv_func_inotify_init=no"
++ optional withPrefix "--program-prefix=g"
# the shipped configure script doesn't enable nls, but using autoreconfHook
# does so which breaks the build
++ optional stdenv.hostPlatform.isDarwin "--disable-nls"
# The VMULL-based CRC implementation produces incorrect results on musl.
# https://lists.gnu.org/archive/html/bug-coreutils/2025-02/msg00046.html
++ optional (
stdenv.hostPlatform.config == "aarch64-unknown-linux-musl"
) "utils_cv_vmull_intrinsic_exists=no"
++ optionals (isCross && stdenv.hostPlatform.libc == "glibc") [
# TODO(19b98110126fde7cbb1127af7e3fe1568eacad3d): Needed for fstatfs() I
# don't know why it is not properly detected cross building with glibc.
"fu_cv_sys_stat_statfs2_bsize=yes"
]
# /proc/uptime is available on Linux and produces accurate results even if
# the boot time is set to the epoch because the system has no RTC. We
# explicitly enable it for cases where it can't be detected automatically,
# such as when cross-compiling.
++ optional stdenv.hostPlatform.isLinux "gl_cv_have_proc_uptime=yes";
# The tests are known broken on Cygwin
# (http://article.gmane.org/gmane.comp.gnu.core-utils.bugs/19025),
# Darwin (http://article.gmane.org/gmane.comp.gnu.core-utils.bugs/19351),
# and {Open,Free}BSD.
# With non-standard storeDir: https://github.com/NixOS/nix/issues/512
doCheck =
(!isCross)
&& (stdenv.hostPlatform.libc == "glibc" || stdenv.hostPlatform.libc == "musl")
&& !stdenv.hostPlatform.isAarch32;
enableParallelBuilding = true;
env = {
NIX_LDFLAGS = optionalString selinuxSupport "-lsepol";
FORCE_UNSAFE_CONFIGURE = optionalString stdenv.hostPlatform.isSunOS "1";
NIX_CFLAGS_COMPILE = toString (
[ ]
# Work around a bogus warning in conjunction with musl.
++ optional stdenv.hostPlatform.isMusl "-Wno-error"
++ optional stdenv.hostPlatform.isAndroid "-D__USE_FORTIFY_LEVEL=0"
# gnulib does not consider Clang-specific warnings to be bugs:
# https://lists.gnu.org/r/bug-gnulib/2025-06/msg00325.html
# TODO: find out why these are happening on cygwin, which is gcc
++ optional (stdenv.cc.isClang || stdenv.hostPlatform.isCygwin) "-Wno-error=format-security"
);
}
// optionalAttrs isCross {
# Prevents attempts of running 'help2man' on cross-built binaries.
PERL = "missing";
};
# Works around a bug with 8.26:
# Makefile:3440: *** Recursive variable 'INSTALL' references itself (eventually). Stop.
preInstall = optionalString isCross ''
sed -i Makefile -e 's|^INSTALL =.*|INSTALL = ${buildPackages.coreutils}/bin/install -c|'
'';
postInstall =
optionalString (isCross && !minimal) ''
rm $out/share/man/man1/*
cp ${buildPackages.coreutils-full}/share/man/man1/* $out/share/man/man1
''
# du: 8.7 M locale + 0.4 M man pages
+ optionalString minimal ''
rm -r "$out/share"
'';
passthru =
{ }
// optionalAttrs (singleBinary != false) {
# everything in the single binary gets the same verdict, so we
# override _that case_ with verdicts from separate binaries.
#
# binlore only spots exec in runcon on some platforms (i.e., not
# darwin; see comment on inverse case below)
binlore.out = binlore.synthesize finalAttrs.finalPackage ''
execer can bin/${
if withPrefix then "g" else ""
}{chroot,env,install,nice,nohup,runcon,sort,split,stdbuf,timeout}
execer cannot bin/${
if withPrefix then "g" else ""
}{[,b2sum,base32,base64,basename,basenc,cat,chcon,chgrp,chmod,chown,cksum,comm,cp,csplit,cut,date,dd,df,dir,dircolors,dirname,du,echo,expand,expr,factor,false,fmt,fold,groups,head,hostid,id,join,kill,link,ln,logname,ls,md5sum,mkdir,mkfifo,mknod,mktemp,mv,nl,nproc,numfmt,od,paste,pathchk,pinky,pr,printenv,printf,ptx,pwd,readlink,realpath,rm,rmdir,seq,sha1sum,sha224sum,sha256sum,sha384sum,sha512sum,shred,shuf,sleep,stat,stty,sum,sync,tac,tail,tee,test,touch,tr,true,truncate,tsort,tty,uname,unexpand,uniq,unlink,uptime,users,vdir,wc,who,whoami,yes}
'';
}
// optionalAttrs (singleBinary == false) {
# binlore only spots exec in runcon on some platforms (i.e., not
# darwin; I have a note that the behavior may need selinux?).
# hard-set it so people working on macOS don't miss cases of
# runcon until ofBorg fails.
binlore.out = binlore.synthesize finalAttrs.finalPackage ''
execer can bin/${if withPrefix then "g" else ""}runcon
'';
};
meta = {
homepage = "https://www.gnu.org/software/coreutils/";
description = "GNU Core Utilities";
longDescription = ''
The GNU Core Utilities are the basic file, shell and text manipulation
utilities of the GNU operating system. These are the core utilities which
are expected to exist on every operating system.
'';
license = lib.licenses.gpl3Plus;
maintainers = with lib.maintainers; [
das_j
mdaniels5757
];
teams = [ lib.teams.security-review ];
platforms = with lib.platforms; unix ++ windows;
priority = 10;
identifiers.cpeParts = lib.meta.cpeFullVersionWithVendor "gnu" finalAttrs.version;
};
})
|
