matrix-tuwunel: fix gcc & rustc leaking into closure#462394
Closed
42LoCo42 wants to merge 2 commits into
Closed
Conversation
nixpkgs-ci
Bot
added
the
12.first-time contribution
nixpkgs-ci
Bot
added
10.rebuild-linux: 1-10
Member
|
what about patching the source instead of doing binary replacement? |
symphorien
reviewed
Nov 16, 2025
Contributor
Author
That's definitely a more proper way of doing it, however it requires more time than I currently have. The replacement hack is intended as a workaround until a proper fix can be developed. |
42LoCo42
force-pushed
the
fix-tuwunel-rustc-leak
branch
from
21c7006 to
4634123
Compare
42LoCo42
force-pushed
the
fix-tuwunel-rustc-leak
branch
from
4634123 to
2d9f905
Compare
Contributor
Author
|
Ok, I've queued up a nixpkgs-review for good measure, should be done in maybe an hour and a half. Thanks @symphorien for helping me with this! |
Contributor
|
Thanks for catching and fixing this. Looking at the output of The top few source references are all logging macros in tuwunel. I don't understand what exactly they're doing, but masking the paths sounds fine. My plan is to wait for the tests to pass in hydra and to deploy it to my server. Once I see nothing unexpected broke, I'll approve. |
Contributor
|
Looking at the output of However, I also see |
Contributor
Author
|
Contributor
Author
Good catch, that should work too. |
42LoCo42
changed the title
Contributor
You're right about it being compilation commands. Never mind what I said earlier about logging. And the reason we see gcc in there is because gcc seems to still be the linker. I expected this to have changed in 1.90 on x86-64, but it doesn't seem to have happened in nixpkgs. So, I've added a todo item for myself in a couple of months to check that LLVM hasn't snuck into the closure. Sizes measured with NixOS tests passed locally. I manually checked the |
scvalex
approved these changes
Nov 17, 2025
nixpkgs-ci
Bot
added
12.approvals: 1
13 tasks
Member
|
how about #462712 instead? |
scvalex
pushed a commit
to scvalex/nixpkgs
that referenced
this pull request
Nov 19, 2025
Alternative to the below PR Closes: NixOS#462394
Contributor
|
Let's do the rustc patch in #462712 since it's small enough. If it turns out to be hard to maintain across version bumps, we'll switch back to the approach in this PR. |
symphorien
added a commit
to symphorien/nixpkgs
that referenced
this pull request
Nov 19, 2025
Alternative to the below PR Closes: NixOS#462394
nell-freckle Bot
pushed a commit
to nicolerenee/infra
that referenced
this pull request
Feb 5, 2026
….9 → v1.5.0 ) (#1345) This PR contains the following updates: | Package | Update | Change | |---|---|---| | [ghcr.io/matrix-construct/tuwunel](https://redirect.github.com/matrix-construct/tuwunel) | minor | `v1.4.9` → `v1.5.0` | --- ### Release Notes <details> <summary>matrix-construct/tuwunel (ghcr.io/matrix-construct/tuwunel)</summary> ### [`v1.5.0`](https://redirect.github.com/matrix-construct/tuwunel/releases/tag/v1.5.0) ##### Tuwunel 1.5.0 January 31, 2026 ##### New Features & Enhancements - SSO/OIDC support. This feature allows users to register and login via authorizations from OIDC Identity Providers. For example, you can now use your GitHub account to register on the server. Tuwunel implements the OIDC client protocol directly. This is referred to as "legacy SSO" in the Matrix specification; Matrix client support is widespread. Credit to [@​samip5](https://redirect.github.com/samip5) for opening the feature-issue ([#​7](https://redirect.github.com/matrix-construct/tuwunel/issues/7)), the most 👍 feature of the project. - [MSC2815](https://redirect.github.com/matrix-org/matrix-spec-proposals/pull/2815) has been implemented, allowing configurable redacted event retention and retrieval by room admins. The content of redacted events is persisted for sixty days by default. Redacted events can be viewed using Gomuks. - Secure limited-use registration token support was implemented by [@​dasha-uwu](https://redirect.github.com/dasha-uwu) building off earlier work by [@​gingershaped](https://redirect.github.com/gingershaped) in ([`56f3f5e`](https://redirect.github.com/matrix-construct/tuwunel/commit/56f3f5ea154)). Use this feature with the new `!admin token` set of commands. - An outstanding major rework of the presence system by [@​lhjt](https://redirect.github.com/lhjt) in ([#​264](https://redirect.github.com/matrix-construct/tuwunel/issues/264)) coordinates conflicting updates from multiple devices and further builds on push suppression features first introduced by [@​tototomate123](https://redirect.github.com/tototomate123). - [MSC3706](https://redirect.github.com/matrix-org/matrix-spec-proposals/pull/3706) has been implemented, improving the performance and reliability of joining rooms over federation ([`b33e736`](https://redirect.github.com/matrix-construct/tuwunel/commit/b33e73672b)). - [@​VlaDexa](https://redirect.github.com/VlaDexa) implemented reading the `client_secret` configuration for an SSO Identity Provider from a separate file; a recommended secure practice ([#​256](https://redirect.github.com/matrix-construct/tuwunel/issues/256)). - Special thanks to [@​winyadepla](https://redirect.github.com/winyadepla) for adding highly sought Matrix RTC (Element Call) documentation for Tuwunel in ([#​265](https://redirect.github.com/matrix-construct/tuwunel/issues/265)) and for having a kind heart to follow up with maintenance in ([#​270](https://redirect.github.com/matrix-construct/tuwunel/issues/270)). - Thank you [@​Xerusion](https://redirect.github.com/Xerusion) for documenting Traefik for deploying Tuwunel in ([#​259](https://redirect.github.com/matrix-construct/tuwunel/issues/259)). This will save a lot of time and headache for many new users! - At the request of [@​ChronosXYZ](https://redirect.github.com/ChronosXYZ) in ([#​260](https://redirect.github.com/matrix-construct/tuwunel/issues/260)), [@​dasha-uwu](https://redirect.github.com/dasha-uwu) implemented a configurable feature to include all local users in search results, rather than limiting to those in public or shared rooms ([`95121ad`](https://redirect.github.com/matrix-construct/tuwunel/commit/95121ad905fb)). - Thanks to a collaboration by [@​x86pup](https://redirect.github.com/x86pup) and [@​VlaDexa](https://redirect.github.com/VlaDexa) working through Nix maintenance we can now upgrade the MSRV to 1.91.1 ([#​275](https://redirect.github.com/matrix-construct/tuwunel/issues/275)). - Thank you [@​scvalex](https://redirect.github.com/scvalex) for updating the README indicating Tuwunel is in stable NixOS ([#​233](https://redirect.github.com/matrix-construct/tuwunel/issues/233)). - Thank you [@​divideableZero](https://redirect.github.com/divideableZero) for updating the README with great news about an [Alpine Package](https://pkgs.alpinelinux.org/package/edge/testing/x86_64/tuwunel) ([#​248](https://redirect.github.com/matrix-construct/tuwunel/issues/248)). - Storage hardware characteristics for mdraid devices on Linux are now detected. On these systems we can now shape database requests to increase performance above generic defaults. - EdDSA is now a supported algorithm for JWT logins. Thank you [@​vnhdx](https://redirect.github.com/vnhdx) for the excellent report in ([#​258](https://redirect.github.com/matrix-construct/tuwunel/issues/258)). - Optimizations were made to maximize concurrency and cache performance when gathering the `auth_chain`. - An admin command to manually remove a pusher is available (note: not intended for normal use). - An admin command to list local users by recent activity was added. ##### Bug Fixes - LDAP users are now auto-joined to configured rooms upon creation. Thank you [@​yefimg](https://redirect.github.com/yefimg) for ([#​234](https://redirect.github.com/matrix-construct/tuwunel/issues/234)), we especially appreciate help from domain-experts on these features. - A surgical fix by [@​kuhnchris](https://redirect.github.com/kuhnchris) in ([#​254](https://redirect.github.com/matrix-construct/tuwunel/issues/254)) addressed a pesky bug where LDAP logins would result in admin privileges being removed for the user. Thank you [@​foxing-quietly](https://redirect.github.com/foxing-quietly) for reporting in ([#​236](https://redirect.github.com/matrix-construct/tuwunel/issues/236)). - [@​OptimoSupreme](https://redirect.github.com/OptimoSupreme) fixed issues with unread notification counting, including eliminating one of the last remaining non-async database calls in the codebase in ([#​253](https://redirect.github.com/matrix-construct/tuwunel/issues/253)). - [@​x86pup](https://redirect.github.com/x86pup) fixed linker issues for platforms without static builds of `io_uring`. Thanks [@​darix](https://redirect.github.com/darix) for reporting in ([#​238](https://redirect.github.com/matrix-construct/tuwunel/issues/238)). - [@​x86pup](https://redirect.github.com/x86pup) fixed compatibility for our optimized jemalloc build on macOS ([#​239](https://redirect.github.com/matrix-construct/tuwunel/issues/239)). - [@​dasha-uwu](https://redirect.github.com/dasha-uwu) made Livekit operate properly even when federation is disabled ([`b5f50c3`](https://redirect.github.com/matrix-construct/tuwunel/commit/b5f50c3fda3)). Thank you [@​apodavalov](https://redirect.github.com/apodavalov) for reporting in ([#​240](https://redirect.github.com/matrix-construct/tuwunel/issues/240)). - Thank you [@​VlaDexa](https://redirect.github.com/VlaDexa) for updating the `Cache-Control` header to cache media as `private` which is more appropriate now in the Authenticated Media era. - Appservices now receive events properly matching on the sender MXID's localpart thanks to [@​dasha-uwu](https://redirect.github.com/dasha-uwu) ([`c5508bb`](https://redirect.github.com/matrix-construct/tuwunel/commit/c5508bba58d0)). - Additional PDU format and compliance checks were added by [@​dasha-uwu](https://redirect.github.com/dasha-uwu) ([`7b2079f`](https://redirect.github.com/matrix-construct/tuwunel/commit/7b2079f71499)). - Codepaths in sync systems which assumed `device_id` from appservices were fixed by [@​dasha-uwu](https://redirect.github.com/dasha-uwu). - Auto-joining version 12 rooms was inhibited from a bug fixed by [@​dasha-uwu](https://redirect.github.com/dasha-uwu) in ([`7115fb2`](https://redirect.github.com/matrix-construct/tuwunel/commit/7115fb2796f)). - Thank you [@​x86pup](https://redirect.github.com/x86pup) for updating our ldap3 dependency with SSL/TLS enhancements in ([#​243](https://redirect.github.com/matrix-construct/tuwunel/issues/243)) and fixing errors reported by [@​fruzitent](https://redirect.github.com/fruzitent) in ([#​108](https://redirect.github.com/matrix-construct/tuwunel/issues/108)). - Thanks to [@​x86pup](https://redirect.github.com/x86pup) `join_rule` is now properly defaulted in `/publicRooms` responses in ([#​244](https://redirect.github.com/matrix-construct/tuwunel/issues/244)); additional compliance tests now pass! - Thank you [@​bdfd9](https://redirect.github.com/bdfd9) for reporting a regression where tracing spans around registrations did not filter out passwords from the list of fields. - The timezone and extended profile features were not correctly stabilized last summer and the `m.tz` field was incorrectly labeled `tz`. Thank you [@​bunnyblack](https://redirect.github.com/bunnyblack):matrix.org for reporting in #tuwunel:matrix.org. - [@​dasha-uwu](https://redirect.github.com/dasha-uwu) fixed git tags not being pulled and applied to CI builds ([`eadc9e7`](https://redirect.github.com/matrix-construct/tuwunel/commit/eadc9e782d8)). - [@​dasha-uwu](https://redirect.github.com/dasha-uwu) fixed a bug in sliding-sync which may result in lost invites ([`fd519ff`](https://redirect.github.com/matrix-construct/tuwunel/commit/fd519ff7f174)). - `since` tokens in legacy sync are now clamped to a maximum when the client sends a value greater than expected, preventing a possibility of missing events during the request. - Media deletion commands which are time-based suffered a bug from incorrect creation timestamps on some filesystems. This was resolved by exclusively using the `mtime` attribute, which is acceptable because Matrix media is immutable. - Queries for the deprecated `_matrix._tcp` SRV record have been reactivated due to an ineffective and unenforced sunset by the specification and other implementations. - Thank you [@​x86pup](https://redirect.github.com/x86pup) and [@​dasha-uwu](https://redirect.github.com/dasha-uwu) for various maintenance and linting efforts for the latest rustc versions and in general. ##### Honorable Mentions - Please take a moment to recognize how lucky we are to have [@​scvalex](https://redirect.github.com/scvalex) as our NixOS package maintainer. From having the wherewithal to rise above the noise and lend this project trust from the very first days, time and again this gentleman has gone above and beyond on our behalf. Thank you [@​symphorien](https://redirect.github.com/symphorien) at NixOS as well for the patch applied surgically in [NixOS/nixpkgs#462394](https://redirect.github.com/NixOS/nixpkgs/pull/462394). </details> --- ### Configuration 📅 **Schedule**: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined). 🚦 **Automerge**: Disabled by config. Please merge this manually once you are satisfied. ♻ **Rebasing**: Whenever PR is behind base branch, or you tick the rebase/retry checkbox. 🔕 **Ignore**: Close this PR and you won't be reminded about these updates again. --- - [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check this box --- This PR has been generated by [Renovate Bot](https://redirect.github.com/renovatebot/renovate). <!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiI0My4wLjgiLCJ1cGRhdGVkSW5WZXIiOiI0My4wLjgiLCJ0YXJnZXRCcmFuY2giOiJtYWluIiwibGFiZWxzIjpbInJlbm92YXRlL2NvbnRhaW5lciIsInR5cGUvbWlub3IiXX0=--> Co-authored-by: bot-nicole[bot] <205127124+bot-nicole[bot]@users.noreply.github.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
3 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Something in
matrix-tuwunelcauses Rust to write crate compilation commands into thetuwunelexecutable, leading to Nix picking uprustc-unwrappedas a runtime dependency. This bloats the closure by about 1.5GB. Simply replacing the path with an invalid one fixes this without affecting the functionality of tuwunel.Things done
passthru.tests.nixpkgs-reviewon this PR. See nixpkgs-review usage../result/bin/.Add a 👍 reaction to pull requests you find important.