Please don't recommend people disable SIP

[MikeMcQuaid]

https://github.com/commercialhaskell/stack/blob/master/doc/faq.md#why-is-dyld_library_path-ignored

Homebrew (a popular OS X package manager) packages Stack but don't want to have our users recommended to disable SIP. Would you consider removing the instructions/recommendation to disable SIP from your FAQ? Unfortunately if not we may need to remove Stack.

Thanks!

[MikeMcQuaid]

I also note that you suggest it in the official documentation above where you recommend people install with Homebrew: http://docs.haskellstack.org/en/stable/install_and_upgrade.html#mac-os-x so you can probably see our concern.

[mgsloan]

Hi! Yes, it's rather unfortunate. OS X has made a behavior change that puts us in a tight spot. Stack delegates much of the actual build out to the Cabal library, which apparently depends on DYLD_* environment variables passing through system binaries like shells. My wild guess is that cabal is running some things using a function like System.Process.system, which runs the requested command in a shell.

Stack is intended to provide reproducible builds, and as a result of various constraints, that also specifies a specific version of Cabal to build your code. This means we are stuck with versions of Cabal that have this behavior.

Please wait a bit on removing stack from brew, we can investigate whether there is some hack we can implement to resolve this. I think it would look like putting some executable named sh on the PATH, which behaves like sh, but passes through DYLD_* variables.

[MikeMcQuaid]

Please wait a bit on removing stack from brew, we can investigate whether there is some hack we can implement to resolve this. I think it would look like putting some executable named sh on the PATH, which behaves like sh, but passes through DYLD_* variables.

Thanks for investigating this. Do you have a timescale we can consider here? Thanks!

[mgsloan]

@borsboom @snoyberg @chrisdone Thoughts on timescale? I could try looking into this, but I don't personally own a mac and I'm probably missing the requisite mac-foo

I've marked this issue "help wanted" - perhaps some of our mac users can help?

[sam2000]

@mgsloan thanks for explaining this.

"we are stuck with versions of Cabal that have this behavior."

So does this the latest version of Cabal doesn't have this issue? I have started a discussion in the libraries mailing list asking if the guys there can solve this in Cabal. If they have already fixed it I should apologize and leave them alone :-)

[borsboom]

I think this may be happening at the GHC level as well. ghc is actually a shell script wrapper, and since /bin/sh is a protected binary DYLD_LIBRARY_PATH will get stripped from the environment at as soon as the compiler is invoked. It may be possible to work around by copying /bin/sh elsewhere and re-writing the shell script wrapper to use the new path. Note: this shell script wrapper is included with GHC, so this would more properly be fixed upstream.

Fundamentally, Stack is still useful with SIP enabled, and the FAQ doesn't recommend that all users disable it. It's only a workaround needed for two specific cases: using an old GHC version (7.8.4) that doesn't work at all with SIP enabled, or when you need to use DYLD_LIBRARY_PATH. We may be able to work around the latter, but I think we would continue to suggest disabling SIP as the only option for the former (old GHC version).

[MikeMcQuaid]

Fundamentally, Stack is still useful with SIP enabled, and the FAQ doesn't recommend that all users disable it. It's only a workaround needed for two specific cases: using an old GHC version (7.8.4) that doesn't work at all with SIP enabled, or when you need to use DYLD_LIBRARY_PATH. We may be able to work around the latter, but I think we would continue to suggest disabling SIP as the only option for the former (old GHC version).

I'd rather you added some far more dramatic caveats to that effect and removed it from the installation instructions part of your documentation, if that's 🆒.

[borsboom]

@MikeMcQuaid In 859b78d, I've adjusted the wording, added more severe warnings, and removed the actual instructions (just linking to another article with instructions). How's that look now?

[MikeMcQuaid]

@borsboom That looks great. Could you also consider tweaking http://docs.haskellstack.org/en/stable/install_and_upgrade.html#mac-os-x ?

[borsboom]

I did tweak it by removing any mention of SIP there, but still pointing to the FAQ entries. A reasonable number of people do still try to use GHC 7.8.4, so I at least want to point people to the FAQ for that case to avoid confusion.

[MikeMcQuaid]

@borsboom Great, thanks. Mind putting those points under Manual Download? People using Homebrew definitely won't be using GHC 7.8.4 with Stack.

[borsboom]

Why do you think people who install Stack via homebrew wouldn't use GHC 7.8.4? For example, if anyone tries to build a project using a Stackage LTS 1 or 2 snapshot, they will use GHC 7.8.4.

[MikeMcQuaid]

@borsboom brew install ghc will install 7.10.3. brew install anything that depends on GHC (e.g. haskell-stack) will auto-upgrade GHC and refuse to install unless it's upgraded.

[borsboom]

The haskell-stack bottle doesn't depend on ghc (note depends_on "ghc" => :build). Due to the importance of supporting multiple versions of GHC, Stack "sandboxes" GHC installations, which it installs from the official GHC binary distributions. Stack will use the system-wide GHC if it has the correct version, but otherwise will install its own copy of GHC.

[MikeMcQuaid]

Ok, I see. I still think it would be preferable to put that stuff below rather than above the installation instructions but I don't feel really strongly about it. Thanks!

[MikeMcQuaid]

That's great, thanks.