fix(faigate): restore pydantic-core source-build hardening for clean linkage audit#2
Open
typelicious wants to merge 1 commit into
Open
fix(faigate): restore pydantic-core source-build hardening for clean linkage audit#2typelicious wants to merge 1 commit into
typelicious wants to merge 1 commit into
Conversation
…linkage audit `brew upgrade fusionaize/tap/faigate` to v2.3.0 prints `Failed changing dylib ID of ... pydantic_core/_pydantic_core.cpython- 312-darwin.so ... Updated load commands do not fit in the header ... needs to be relinked, possibly with -headerpad_max_install_names` on every install. Runtime startup happens to work, so the regression was masked, but Homebrew's linkage audit is broken on every upgrade. Root cause: this formula was switched to `pip install --prefer-binary` to skip the 3-5 min cargo build, which silently dropped the v1.2.2 hardening. Prebuilt pydantic-core / watchfiles wheels are linked upstream without extra Mach-O headerpad space, so the post-install `install_name_tool -id` rewrite cannot fit the new install name. The `LDFLAGS -headerpad_max_install_names` flag we kept is a no-op for files that pip did not compile. Fix: re-introduce `PIP_NO_BINARY=pydantic-core,watchfiles`, restore the rust build dependency, and drop `--prefer-binary`. This is the exact pattern that v1.2.2 / v1.2.3 originally landed and is mirrored as a golden reference in fusionAIze/faigate's own Formula/faigate.rb. The 3-5 min source build returns. That is the price of a clean linkage audit. Do not switch back to `--prefer-binary` until pydantic-core upstream ships wheels with sufficient headerpad. See: https://github.com/fusionAIze/faigate/blob/main/docs/PUBLISHING.md#macos-packaging-guard Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
brew upgrade fusionaize/tap/faigateto v2.3.0 prints on every install:Runtime startup happens to keep working, which masked the regression — but Homebrew's linkage audit is broken on every upgrade and the noisy errors are user-visible.
Root cause
This formula was switched to
pip install --prefer-binary(and droppedPIP_NO_BINARY=pydantic-core,watchfilesand therustbuild dep) to skip the 3–5 min cargo build. That silently regressed the v1.2.2 hardening recorded in fusionAIze/faigateRELEASES.md. Prebuiltpydantic-core/watchfileswheels are linked upstream without extra Mach-O headerpad space, so the post-installinstall_name_tool -idrewrite cannot fit the new install name. TheLDFLAGS -headerpad_max_install_namesflag the formula kept is a no-op for files pip did not compile.Fix
Re-introduce
PIP_NO_BINARY=pydantic-core,watchfiles, restore therust => :builddependency, drop--prefer-binary, and inline a comment explaining why so this regression cannot land silently a third time. Same pattern as v1.2.2 / v1.2.3, now mirrored as a golden reference infusionAIze/faigate Formula/faigate.rb(PR faigate#219).Trade-off
The 3–5 min source build returns on
brew upgrade. This is the price of a clean linkage audit and silent installs for users. Do not switch back to--prefer-binaryuntil pydantic-core upstream ships wheels with sufficient headerpad.Test plan
brew upgrade fusionaize/tap/faigateprints zeroFailed changing dylib ID/Failed to fix install linkagelinesfaigate --versionreportsv2.3.0brew services restart fusionaize/tap/faigateand confirm the gateway boots and pydantic-validated models work end-to-end🤖 Generated with Claude Code