Setting the SDK root by default allows `overrideSDK` to correctly set
the SDK version when using a different SDK. It also allows the correct
SDK version to be set when using an older deployment target. Not setting
the correct SDK version can result in unexpected behavior at runtime.
Examples:
* Automatic dark mode switching requires linking against an SDK version
of 10.14 or newer. With the current behavior, the only way to do this
is by using a 10.14+ deployment target even when the application
supports older platforms when build with a newer SDK.
* MetalD3D checks that the system version is at least 14.0. The API it
uses returns a compatibility version when the the SDK is older than
11.0, which causes it to display an error and terminate the
application even when even when its requirements are all met.
This is effectively a rewrite of `overrideSDK`. It was required because
`wrapGAppsHook` propagates `depsTargetTarget` with the expectation that
it will effectively be `buildInputs` when the hook is itself used as a
`nativeBuildInput`. This propagates Gtk, which itself propagates the
default Dariwn SDK, making it effectively impossible to override the SDK
when a package depends on Gtk and uses `wrapGAppsHook`.
This rewrite implements the following improvements:
* Cross-compilation should be supported correctly (untested);
* Supports public and private frameworks;
* Supports SDK `libs`;
* Remaps instead of replacing extra (native) build inputs in the stdenv;
* Updates any Darwin framework references in `nix-support`; and
* It updates `xcodebuild` regardless of which input its in.
The implementation avoids recursion for performance reasons. Instead, it
enumerates transitive dependencies and walks the list from the leaf
packages backwards to the parent packages.
The example pertinent to `fccUnlockScripts` contains wrong (maybe old) key names possibly leading to trial/error while configuring the option. This issue can be avoided updating the example.
Based on the derivation from xcbuild.sdk. apple_sdk.sdkRoot provides
version plists and a hook that passes them automatically to the compiler
as `-isysroot`. This is needed to correctly set the SDK version in
compiled binaries. Otherwise, clang will infer the SDK version to be the
same as the deployment target, which is usually not what you want.
Before the change the login into users without passwords was failing:
https://github.com/NixOS/nixpkgs/issues/297920
It used to work when `linux-pam` used direct `shadow` access when ran as
root. The switch to external helper have broken that use case.
Let's pull accepted upstream fix to restore empty password handling.