4.18.0 unbuildable on macOS

[vcunat]

4.17.1 just worked. Now:

checking for mkfifoat... no
configure: error: function required by rpm

Holds both for x86_64 and aarch64 variant.

[pmatilai]

Yep. Rpm >= 4.18.0 requires the full *at() family from POSIX-1.2008 to address a class of symlink related vulnerabilities (CVE-2021-35937, CVE-2021-35939 and CVE-2021-35938 and their unreported relatives).

Just for the record, what OS X version is this?

[vcunat]

It's tough to say for me, as I'm not an "Apple person" and the distro is trying to cover a range of versions here. But IIRC the aarch64 builds assume quite a new macOS, as M1 is fairly new. (Perhaps someone from our community or yours will know more.)

[DemiMarie]

Could mkfifoat() be emulated with mknodat() or /dev/fd/?

[pmatilai]

mknodat() sure, but I'm very reluctant to go that way. If we slip on one POSIX.1-2008 requirement then we enter a slipperly slope and that's how ugly compatibility cruft starts accumulating, and ends up hurting future developments. If we workaround the missing mkfifoat() for OS X now, then we're on hook for doing that for the next compatibility issue too. And if there's no easy workaround for the next one?

[pmatilai]

Uff, according to python/cpython#97897 they're only adding mkfifoat() in macOS version 13 which isn't even released yet. If that's an actual fact, this is something we'll want to at least document more visibly.

I'd suggest folks interested in OS X take a closer look at this all. It's one thing if mkfifoat() is the only missing piece, it's a whole other thing if there are many more.

[DemiMarie]

/dev/fd/ is a pretty general workaround, if it works at all.

[pmatilai]

So this keeps getting mentioned in other places.

Let me make this clear: the rpm development team is not going to work on this, OS X is not a platform we (can) maintain. If you want to see rpm building on older OS X, a good starting point would be looking at what is actually needed and bring that info to the table before spending a lot of time producing a proper patch. Like said above, it's one thing if it's just mkfifoat(), and something else entirely if half of the other POSIX 2008 requirements are missing.

[pmatilai]

I think this is mostly a matter of documentation to set the expectations straight, basically:
Rpm is portable within the limitations stated in INSTALL, currently that means POSIX.1-2008.
The rpm-team only maintains the Linux port, but patches for other platforms can be accepted.

[pmatilai]

Portability status clarified in commit 61000db