Discussion: The future of SDKs on Darwin

[reckenrode]

With #234710 getting close to done and the LLVM bump imminent, #229210 should be able to move forward adding new SDKs. We’ve had several conversations on Matrix regarding how we’d like to handle multiple SDKs. The purpose of this issue is to capture those conversations and work towards a consensus.

I’m pinging @toonn and @emilazy because we have discussed this on Matrix before. I am also pinging @jtojnar because @drupol mentioned having talked with him about the SDK issue. If there is anyone I forget, feel free to ping them.

Assumptions

• There need to be multiple SDKs. Unfortunately, if we want to build software that uses features on new platforms, we can’t just use a newer SDK by default because static feature detection may result in binaries that don’t run on older platforms.
• x86_64-darwin will continue to maintain an older default than aarch64-darwin. That is currently 10.12 but will need to increase to 10.13 because libc++ 17 has dropped support for 10.12.
• It should be easy to use in the simple case while also composing well with language and other complex frameworks.
• It should be possible to mix dependencies using different SDKs, and switching an SDK should not result in a complete rebuild of the stdenv just to use it. All stdenvs should share a common libc++.

Current Situation

There are two SDKs currently in nixpkgs: the 10.12 SDK and the 11.0 SDK. 10.12 is the default on x86_64-darwin, and 11.0 is the default on aarch64-darwin. The 10.12 SDK is built from Apple’s source releases where possible while the 11.0 SDK is derived from the upstream SDK. There is some shared implementation but also a lot of custom implementation between the two.

The default SDK is darwin.apple_sdk. Packages that need to access SDK packages typically use the package and the inherit (darwin) <package> pattern. To use a different SDK, the common pattern is to use apple_sdk_<version>.callPackage, which overrides some parts of Darwin to provide versions from the new SDK. However, explicitly inheriting packages also requires updating those to reference the new SDK.

Friction Points

The SDK typically ends up providing SDK-specific stdenvs and language frameworks (like rustPlatform). The SDK should not have to concern itself with how it is being used downstream, and those frameworks should just worked based on the chosen SDK (picking it up as well as the updated compilers).

xcbuild hardcodes the SDK it uses. It should be possible to override this in a way that does not require rebuilding xcbuild every time a new SDK is required.

propagatedBuildInputs do not work well with SDK overrides. For example, it is not possible to mix libGLU, which propagates a couple of SDK frameworks, in a package that needs a different SDK because it results in headers being used from the wrong SDK.

The top level of darwin attribute set contains some SDK-specific items (like Libsystem). These need to be moved to their appropriate SDKs. The top level should contain only packages that are Darwin-specific and part of or associated with an SDK.

CF is a massive pain in the ass. It should either be dropped or made to build on aarch64-darwin. Having two different build paths through the stdenv bootstrap complicates things. The way CF propagates also makes the stdenv bootstrap very sensitive to the order things are built on x86_64-darwin. There are also risks for cyclical dependencies¹.

Updating SDKs and making them source-based is difficult. This is going to be a problem for x86_64-darwin when it comes time to bump to clang 18 next year because libc++ will have dropped support for the platform, and additional post-10.12 APIs may be used (meaning it may not be feasible just to revert the commit that removed to 10.12 support).

---

¹: There are two examples I have encountered while working on the stdenv rework.

• CF depended on curl, which depends on CoreFoundation. The old stdenv avoided this issue by not including the rpath, causing nix not to find the dependency on the linked CF from a prior bootstrap stage. This was fixed in the new stdenv by removing the curl usage from CF. Fortunately, it is not needed in our usage because we do not build swift-corelibs Foundation.
• Bash depends on CF, but CF depends on libxml2 and ICU, which provide scripts that include shebang lines that need patched to use bash from nixpkgs. This worked in the old stdenv because only it used darwin.ICU, and libxml2 just happened to work with the system bash on Darwin. The reworked stdenv uses the nixpkgs icu, which caused problems with packages that used the script to get icu’s build flags. This was fixed by making bash depend on CoreFoundation instead of CF.

[reckenrode]

I’m replying with my perspective separately to keep it from biasing the OP. I would like to see a singular approach to overriding the SDK and a pattern that plays nicely with it. It seems to me that the SDK is analogous to the libc, and so should live as an attribute on the stdenv. When you need an SDK package, you should reference stdenv.apple_sdk in your derivation. This has two benefits:

• It makes overriding the SDK be a stdenv adapter. This should allow the SDK to be overriden for any stdenv without requiring it to provide a special, vendored stdenv as it does today.
• It plays nicely with callPackage and the simple package paths proposal because references to specific frameworks would be handled in the derivation.

For example, given an adapter might like:

overrideSDK = stdenv: new_sdk:
  let mkCC = cc:
    cc.override {
      bintools =s tdenv.cc.bintools.override { libc = new_sdk.Libsystem; };
      libc = new_sdk.Libsystem;
    };
  in
  (overrideCC stdenv (mkCC stdenv.cc)).override {
    extraBuildInputs = [ new_sdk.CF ];
    hostPlatform = stdenv.hostPlatform // {
      darwinSdkVersion = new_sdk.version;
    };
  } // {
    apple_sdk = new_sdk;
  };

Given the following derivation:

{ stdenv, zlib }:

stdenv.mkDerivation {
  name = "my-package";
  version = "1.0.0";
  buildInputs = [ zlib ]
    ++ lib.optionals stdenv.isDarwin (with stdenv.apple_sdk.frameworks; [ CoreFoundation ]);
}

There are two ways to use this. With an explicit callPackage:

my-package = callPackage ./path/to/my-package {
  stdenv = if stdenv.isDarwin then overrideSDK stdenv darwin.apple_sdk_13 else stdenv;
};

Auto-called inside the derivation:

{ stdenv, darwin, overrideSDK, zlib }:

let
  stdenv' = if stdenv.isDarwin then overrideSDK stdenv darwin.apple_sdk_latest else stdenv;
in
stdenv'.mkDerivation {
  pname = "my-package";
  buildInputs = [ zlib ]
    ++ lib.optionals stdenv'.isDarwin (with stdenv'.apple_sdk.frameworks; [ CoreFoundation ]);
  # etc
}

Which pattern is preferred should follow how different stdenv requirements are handled after the simple package paths RFC is implemented.

[reckenrode]

Regarding SDK evolution, I would like to see the 10.12 SDK retrofitted into the structure being implemented #229210. The source SDK components should be implemented as overlays. I think being able to incrementally convert an SDK will make it easier to move forward on that front. We should also be aiming for an ideal of “source-based headers plus tbd files” for purity. Trying to build Apple’s OSS stuff can be pretty painful, especially newer releases.

For non-SDK applications (e.g., adv_cmds, system_cmds, etc), though should be treated as normal packages and updated to be as new as will build on the default SDK for a platform. When they are common packages that are already maintained in nixpkgs, they should be dropped in favor of the nixpkgs versions (e.g., ICU and libiconv).

[toonn]

Since I agree with most of this, I don't really have much to add. I don't think we need to worry about 10.13, that work is progressing, I will be opening PRs soon.

This might be out of scope but I want to bring it up anyway.

To me the ideal scenario would be packages simply specify what minimum macOS version they support; potentially a maximum too but that's pretty much a non-issue at this point. The Nixpkgs infrastructure would then provide whatever this minimum version is, probably preferring source releases over the SDK distributed by Apple.

Now, while this minimum version information seems appropriate for a package's meta attribute, that would be quite challenging to get at, since it's a derivation attribute and the SDK inputs are a prerequisite to evaluating the derivation.

Maybe darwin should be a function, taking the minimum version as an argument? Inputs would then be specified as something along the lines of inherit (darwin "13.2") Libsystem. Overriding a package's minimum version would be done by essentially passing in _: darwin "14.0".
I wouldn't be surprised if there were better ways of doing this though.

Is it feasible for us to take something like this into account? In the simple case it'd mean maintainers just look up what the minimum supported macOS version is upstream, pass it in however we decide on doing it and be done with it. In the probably more common case it'd mean looking up what version of macOS symbols were introduced in. This could be scripted to reduce the pain though.

> macOSMinimum.sh symbol1 symbol2 ... symbolN
Oldest version containing all symbols: 11.0.1

[reckenrode]

Since I agree with most of this, I don't really have much to add. I don't think we need to worry about 10.13, that work is progressing, I will be opening PRs soon.

Will that introduce a new apple_sdk_10_13 or modify the existing apple_sdk? I ask to illustrate the direction I’d like to see the SDKs go, which is a separate release for each version. apple_sdk is then set to the default SDK for the architecture — similar to LLVM where there are multiple llvmPackages_X but only one llvmPackages that is the default for the platform.

[reckenrode]

This might be out of scope but I want to bring it up anyway.

It seems in scope since it pertains to how the SDK interacts with nixpkgs.

To me the ideal scenario would be packages simply specify what minimum macOS version they support; potentially a maximum too but that's pretty much a non-issue at this point. The Nixpkgs infrastructure would then provide whatever this minimum version is, probably preferring source releases over the SDK distributed by Apple.

Is that the minimum runtime or build requirement?

MoltenVK supports back to 10.11, but it really should be built with the latest SDK. It can’t even be built with the 10.11 (or 10.12) SDKs, and building with pre-latest SDKs negatively impacts feature availability when run on newer macOS releases.

Now, while this minimum version information seems appropriate for a package's meta attribute, that would be quite challenging to get at, since it's a derivation attribute and the SDK inputs are a prerequisite to evaluating the derivation.

Maybe darwin should be a function, taking the minimum version as an argument? Inputs would then be specified as something along the lines of inherit (darwin "13.2") Libsystem. Overriding a package's minimum version would be done by essentially passing in _: darwin "14.0". I wouldn't be surprised if there were better ways of doing this though.

How would it interact with language frameworks and alternate stdenvs? Would the SDK still have to vend e.g., gcc12Stdenv, if you need a non-standard stdenv?

Is it feasible for us to take something like this into account? In the simple case it'd mean maintainers just look up what the minimum supported macOS version is upstream, pass it in however we decide on doing it and be done with it. In the probably more common case it'd mean looking up what version of macOS symbols were introduced in. This could be scripted to reduce the pain though.

> macOSMinimum.sh symbol1 symbol2 ... symbolN
Oldest version containing all symbols: 11.0.1

The script sounds handy regardless. It would also be nice to know if some of those symbols are weakly linked (because it might allow well-behaved applications to be built with a newer SDK with an older deployment target).

[abathur]

x86_64-darwin will continue to maintain an older default than aarch64-darwin. That is currently 10.12 but will need to increase to 10.13 because libc++ 17 has dropped support for 10.12.

Tangent to the main point here (happy to rm if it's a distraction): I guess this implies some thinking/coordination with installers and about what should happen on any existing installs under this floor? (I have no clue if there actually are any left in the wild...)

• The Nix installer uses 10.12.6 as a minimum version. (See installer: update macOS version check to 10.12.2 nix#2594 for the last bump, though I'm not sure why there's a discrepancy between the 10.12.2 in the title and 10.12.6 as implemented.)

• I don't see the same test in the detsys installer. I do see a version test in https://github.com/DeterminateSystems/nix-installer/blob/d076888f8822d30ffe17f51ba6e81714d5c92796/nix-installer.sh#L331-L382, but it looks like it's just related to the help command. They might technically be installing on ~unsupported versions?

  (If so, anyone with access to a macOS this old might be able to use it to test how clear Nix/nixpkgs failure mode(s) are here? I'll ask on Matrix if the detsys folks can shed any light on macOS versions used, though TBH I'd be surprised if pre 10.13 devices are still getting fresh Nix installs even if they're still in service...)

• Depending on the failure modes, maybe something to ensure it's clear or telegraph deprecation? (IDK. Feels silly to waste much time on this if no one's still using it, but a sudden ~EOL on a channel update would suck if the devices are still load-bearing somewhere.)

[reckenrode]

x86_64-darwin will continue to maintain an older default than aarch64-darwin. That is currently 10.12 but will need to increase to 10.13 because libc++ 17 has dropped support for 10.12.

Tangent to the main point here (happy to rm if it's a distraction): I guess this implies some thinking/coordination with installers and about what should happen on any existing installs under this floor? (I have no clue if there actually are any left in the wild...)

No, I think it’s something that needs consideration too. If Darwin is going to regularly add SDKs and update LLVM, we need to determine what the deprecation process looks like for packages and platforms and document it.

• The Nix installer uses 10.12.6 as a minimum version. (See installer: update macOS version check to 10.12.2 nix#2594 for the last bump, though I'm not sure why there's a discrepancy between the 10.12.2 in the title and 10.12.6 as implemented.)
• I don't see the same test in the detsys installer. I do see a version test in https://github.com/DeterminateSystems/nix-installer/blob/d076888f8822d30ffe17f51ba6e81714d5c92796/nix-installer.sh#L331-L382, but it looks like it's just related to the help command. They might technically be installing on ~unsupported versions?

I assume coordinating with the installers would be part of the deprecation process. What channel do they use by default? That would also affect things since the unstable channel would change over before the stable one.

(If so, anyone with access to a macOS this old might be able to use it to test how clear Nix/nixpkgs failure mode(s) are here? I'll ask on Matrix if the detsys folks can shed any light on macOS versions used, though TBH I'd be surprised if pre 10.13 devices are still getting fresh Nix installs even if they're still in service...)

• Depending on the failure modes, maybe something to ensure it's clear or telegraph deprecation? (IDK. Feels silly to waste much time on this if no one's still using it, but a sudden ~EOL on a channel update would suck if the devices are still load-bearing somewhere.)

It would be nice if there were a place in the release notes for Darwin-related changes, especially deprecations and incompatibilities. Given an LLVM 18 bump won’t happen until this time next year for the 24.11 release, an announcement in 23.11 would provide a year’s notice of the upcoming change.

[abathur]

What channel do they use by default?

The official installer uses unstable. I don't understand what exactly the detsys installer does here.

They do cite what they don't do:

• nix-channel --update is not run, ~/.nix-channels is not provisioned

But I haven't gone through it to understand the full implications.

[reckenrode]

What channel do they use by default?

The official installer uses unstable.

That’s what I thought, so we have less time than until the 24.11 release. Can we get a deprecation notice or some changes in the installer to let users know that 10.12 support will be dropping next year?

If necessary we might be able to push it out to 2025 by reverting the commit from libc++ that drops 10.12 support, but we’d also need to make sure it’s not using 10.13 APIs anywhere else (and the LLVM maintainers are willing to carry the patch).

I don't understand what exactly the detsys installer does here.
They do cite what they don't do:

• nix-channel --update is not run, ~/.nix-channels is not provisioned

But I haven't gone through it to understand the full implications.

I assume the lack of channels is because they assume people will be using flakes, but I reached out on Matrix to see if anyone had any experience with it to confirm.

[reckenrode]

Another topic worth discussing is how to handle open source releases that are out of date or no longer available.

I ran into this while testing the clang 16 update. Ruby fails to build with clang 16 on x86_64-darwin because it needs __cospi and __sinpi. These were added in 10.9, so they should be available in the 10.12 SDK, but the math.h header in the 10.12 source-based SDK is dated from 2002 and does not have those definitions. The reason why Ruby detects and tries to use them is because autoconf only checks that functions with those names can be linked.

I’m currently planning to use the 11.0 SDK to build Ruby, but it would be better if there were a way to provide the up-to-date headers for the 10.12 SDK.

[toonn]

I think the plan to overlay source releases on the SDKs kinda solves the outdated/unavailable source problem. If there's no source for something, we get it from the SDK, like XPC for example. Unless an open source reimplementation comes along.

[uri-canva]

I think SDKs and platforms are strongly related, is there some way how we can align the darwin sdks with the concept of nix platforms? For example the platforms in lib/systems/examples.nix have attributes such as sdkVer = "14.3"; xcodeVer = "12.3"; xcodePlatform = "iPhoneSimulator";, but I think they're only used when cross compiling. Can we use the same pattern to configure the regular non-cross compile flows as well?

We might need to represent the distinction between the host and target platform: if I understand the MoltenVK case correctly for example, the host platform needs the latest SDK, but the target platform can be as low as 10.11.