Rely less on system-provided libraries (i.e. make whitelist stricter)

DataDog · Jan 17, 2024 · 0b91019 · 0b91019
1 parent dfa4c92
commit 0b91019
Show file tree

Hide file tree

Showing 2 changed files with 81 additions and 7 deletions.
diff --git a/.builders/images/macos/build.sh b/.builders/images/macos/build.sh
@@ -45,6 +45,59 @@ else
         no-module \
         no-comp no-idea no-mdc2 no-rc5 no-ssl3 no-gost
 
+    # libxml & libxslt for lxml
+    DOWNLOAD_URL="https://download.gnome.org/sources/libxml2/2.10/libxml2-{{version}}.tar.xz" \
+    VERSION="2.10.3" \
+    SHA256="5d2cc3d78bec3dbe212a9d7fa629ada25a7da928af432c93060ff5c17ee28a9c" \
+    RELATIVE_PATH="libxml2-{{version}}" \
+      install-from-source \
+        --without-iconv \
+        --without-python \
+        --without-icu \
+        --without-debug \
+        --without-mem-debug \
+        --without-run-debug \
+        --without-legacy \
+        --without-catalog \
+        --without-docbook \
+        --disable-static
+
+    DOWNLOAD_URL="https://download.gnome.org/sources/libxslt/1.1/libxslt-{{version}}.tar.xz" \
+    VERSION="1.1.37" \
+    SHA256="3a4b27dc8027ccd6146725950336f1ec520928f320f144eb5fa7990ae6123ab4" \
+    RELATIVE_PATH="libxslt-{{version}}" \
+      install-from-source \
+        --with-libxml-prefix="${DD_PREFIX_PATH}" \
+        --without-python \
+        --without-crypto \
+        --without-profiler \
+        --without-debugger \
+        --disable-static
+
+    # curl
+    DOWNLOAD_URL="https://curl.haxx.se/download/curl-{{version}}.tar.gz" \
+    VERSION="8.4.0" \
+    SHA256="816e41809c043ff285e8c0f06a75a1fa250211bbfb2dc0a037eeef39f1a9e427" \
+    RELATIVE_PATH="curl-{{version}}" \
+      install-from-source \
+        --disable-manual \
+        --disable-debug \
+        --enable-optimize \
+        --disable-static \
+        --disable-ldap \
+        --disable-ldaps \
+        --disable-rtsp \
+        --enable-proxy \
+        --disable-dependency-tracking \
+        --enable-ipv6 \
+        --without-libidn \
+        --without-gnutls \
+        --without-librtmp \
+        --without-libssh2 \
+        --with-ssl="${DD_PREFIX_PATH}"
+    # Remove the binary installed so that we consistenly use the same original `curl` binary
+    rm "${DD_PREFIX_PATH}/bin/curl"
+
     # Dependencies needed to build librdkafka (and thus, confluent-kafka) with kerberos support
     # Note that we don't ship these but rely on the Agent providing a working cyrus-sasl installation
     # with kerberos support, therefore we only need to watch out for the version of cyrus-sasl being

diff --git a/.builders/scripts/repair_wheels.py b/.builders/scripts/repair_wheels.py
@@ -118,19 +118,40 @@ def repair_windows(source_dir: str, output_dir: str) -> None:
 
 def repair_darwin(source_dir: str, output_dir: str) -> None:
     from delocate import delocate_wheel
-    from delocate.delocating import filter_system_libs
-
-    exclusions = [
+    exclusions = [re.compile(s) for s in [
         # pymqi
-        'pymqe.cpython-311-darwin.so',
+        r'pymqe\.cpython-\d+-darwin\.so',
         # confluent_kafka
         # We leave cyrus-sasl out of the wheel because of the complexity involved in bundling it portably.
         # This means the confluent-kafka wheel will have a runtime dependency on this library
-        'libsasl2.3.dylib',
-    ]
+        r'libsasl2.\d\.dylib',
+        # Whitelisted libraries based on the health check default whitelist that we have on omnibus:
+        # https://github.com/DataDog/omnibus-ruby/blob/044a81fa1b0f1c50fc7083cb45e7d8f90d96905b/lib/omnibus/health_check.rb#L133-L152
+        # We use that instead of the more relaxed policy that delocate_wheel defaults to.
+        r'libobjc\.A\.dylib',
+        r'libSystem\.B\.dylib',
+        # Symlink of the previous one
+        r'libgcc_s\.1\.dylib',
+        r'CoreFoundation',
+        r'CoreServices',
+        r'Tcl$',
+        r'Cocoa$',
+        r'Carbon$',
+        r'IOKit$',
+        r'Kerberos',
+        r'Tk$',
+        r'libutil\.dylib',
+        r'libffi\.dylib',
+        r'libncurses\.5\.4\.dylib',
+        r'libiconv',
+        r'libstdc\+\+\.6\.dylib',
+        r'libc\+\+\.1\.dylib',
+        r'^/System/Library/',
+        r'libz\.1\.dylib',
+    ]]
 
     def copy_filt_func(libname):
-        return filter_system_libs(libname) and not any(os.path.basename(libname) == excl for excl in exclusions)
+        return not any(excl.search(libname) for excl in exclusions)
 
     for wheel in iter_wheels(source_dir):
         print(f'--> {wheel.name}')