x509-system: use /usr/bin/security on macOS.

[dhess]

This mirrors the workaround in nixpkgs for haskellPackages.

ref: NixOS/nixpkgs#47676

[michaelpj]

Does this work if x509-system isn't in the package set?

[dhess]

I'm using this in a temporary fork to build all kinds of packages, including some non-Stack projects. (It's Stack that pulls in x509-system 100%.)

My expectation was that this expression wouldn't be evaluated unless the package set includes x509-system.

[michaelpj]

Cool. I actually just don't know what the module system will do with this. e.g. I could imagine it complaining that x509-system wasn't defined or something.

[dhess]

For me, the real question about this PR is whether the conditional that guards the override is correct. In nixpkgs, my understanding is that you just need to use stdenv.isDarwin and that does the right thing for native builds and cross. But I get the impression (having not tried it myself) that cross-compiles are more complicated in haskell.nix, so it would be good to have someone who knows that stuff take a look at this PR.

There is also the complication that in nixpkgs, the equivalent code checks for !pkgs.stdenv.cc.nativeLibc, which I have mimicked here, but I confess that I don't understand why that's necessary:

https://github.com/NixOS/nixpkgs/blob/50863eb06c8f2f3397fa4cf0129a62047fbb765c/pkgs/development/haskell-modules/configuration-nix.nix#L160

[michaelpj]

We use stdenv.isDarwin all over the place, so I'm fairly confident that this is going to be okay. I have no idea about the nativeLibc thing, but I'm happy if we're copying it from nixpkgs.

I was about to ask if we should make a note to await the "proper fix" mentioned in the issue, and then I saw it was from 2018 😅

[michaelpj]

bors try

[iohk-bors]

try

Build succeeded:

• buildkite/haskell-dot-nix
• ci/hydra:Cardano:haskell-nix:required

[michaelpj]

Looks good, thanks for this!