Skip to content

sublime4: drop openssl_1_1#531298

Merged
MattSturgeon merged 2 commits into
NixOS:masterfrom
gepbird:drop/sublime4-openssl_1_1
Jun 24, 2026
Merged

sublime4: drop openssl_1_1#531298
MattSturgeon merged 2 commits into
NixOS:masterfrom
gepbird:drop/sublime4-openssl_1_1

Conversation

@gepbird

@gepbird gepbird commented Jun 13, 2026

Copy link
Copy Markdown
Contributor

Tracking: #269713

I didn't mark it broken, because the core functionality seems to work, I can edit and save files. There's an annoying popup however: "plugin_host-3.3 has exited unexpectedly, some plugin functionality won't be available until Sublime Text has restarted" on launch.

Our options are:

  • someone fixes this derivation without openssl_1_1. According to Upgrade OpenSSL sublimehq/sublime_text#5984 (comment), from 4200 (which we have in nixpkgs) we should be able to only depend on openssl_3
  • mark the whole package as broken
  • keep it at this half broken state

Things done

@nixpkgs-ci nixpkgs-ci Bot requested review from jtojnar, wmertens and zimbatm June 13, 2026 09:29
@nixpkgs-ci nixpkgs-ci Bot added 10.rebuild-linux: 1-10 This PR causes between 1 and 10 packages to rebuild on Linux. 10.rebuild-darwin: 0 This PR does not cause any packages to rebuild on Darwin. labels Jun 13, 2026
@gepbird gepbird force-pushed the drop/sublime4-openssl_1_1 branch from bf7cd76 to 90a4bb2 Compare June 13, 2026 10:03
@pwr

pwr commented Jun 13, 2026

Copy link
Copy Markdown

There's a ST setting, "disable_plugin_host_3.3": true which stops the plugin_host-3.3 process from starting.
If that is set as a default preference, the plugin_host-3.3 binary could even be removed from the final package.

@jtojnar

jtojnar commented Jun 14, 2026

Copy link
Copy Markdown
Member

4200 only announced the deprecation, the old plugin host is still there for now.

Looking at 4200, it seems even plugin_host-3.8 crashes without `openssl_1_1.

For sublime4-dev (4205), it actually appears that removing the plugin_host-3.3 binary gets rid of the warning even without any settings change. Though doing so will disable packages, including those that are needed for core features (see that e.g. Edit → Sort Lines is grayed out). Fortunately, it looks like it is actually possible to include default settings into a package, which seems to fix that.

So I would be in favour of doing that and marking stable as broken:

diff --git a/pkgs/applications/editors/sublime/4/common.nix b/pkgs/applications/editors/sublime/4/common.nix
index be77793c7964..36e7a4b4896c 100644
--- a/pkgs/applications/editors/sublime/4/common.nix
+++ b/pkgs/applications/editors/sublime/4/common.nix
@@ -22,7 +22,6 @@
   writeShellScript,
   common-updater-scripts,
   curl,
-  openssl_1_1,
   openssl_3_5,
   bzip2,
   sqlite,
@@ -33,7 +32,6 @@ let
   packageAttribute = "sublime4${lib.optionalString dev "-dev"}";
   binaries = [
     "sublime_text"
-    "plugin_host-3.3"
     "plugin_host-3.${if lib.versionAtLeast buildVersion "4205" then "14" else "8"}"
     crashHandlerBinary
   ];
@@ -55,7 +53,6 @@ let
     libxtst
     glib
     libglvnd
-    openssl_1_1
     gtk3
     cairo
     pango
@@ -88,6 +85,8 @@ let
     buildPhase = ''
       runHook preBuild
 
+      rm plugin_host-3.3
+
       for binary in ${builtins.concatStringsSep " " binaries}; do
         patchelf \
           --interpreter "$(cat $NIX_CC/nix-support/dynamic-linker)" \
@@ -95,6 +94,8 @@ let
           $binary
       done
 
+      echo '{"disable_plugin_host_3.3": true}' > Packages/Preferences.sublime-settings
+
       # Unable to get plugin_host-3.14 not crash with Python from Nixpkgs
       ${lib.optionalString (lib.versionAtLeast buildVersion "4205") "patchelf --set-rpath ${
         lib.makeLibraryPath [
@@ -223,6 +224,8 @@ stdenv.mkDerivation (finalAttrs: {
     ];
     sourceProvenance = with lib.sourceTypes; [ binaryNativeCode ];
     license = lib.licenses.unfree;
+    # Packages, including core ones, do not run without plug-in host depending on insecure OpenSSL.
+    broken = lib.versionOlder buildVersion "4205";
     platforms = [
       "aarch64-linux"
       "x86_64-linux"

@gepbird gepbird force-pushed the drop/sublime4-openssl_1_1 branch 2 times, most recently from b39ba43 to 147a2d2 Compare June 16, 2026 00:10
@nixpkgs-ci nixpkgs-ci Bot added the 10.rebuild-linux: 1 This PR causes 1 package to rebuild on Linux. label Jun 16, 2026

@jtojnar jtojnar left a comment

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks. Btw, you have atuhored in the commit message.

@jtojnar

jtojnar commented Jun 16, 2026

Copy link
Copy Markdown
Member

Actually, I wonder if we should perhaps mark the sublime4-dev broken as well to communicate it differs in functionality from upstream. Maybe something like

We have removed Python 3.3 package support ahead of upstream schedule but if you do not use any old packages, this should just work.

@nixpkgs-ci nixpkgs-ci Bot added 12.approvals: 1 This PR was reviewed and approved by one person. 12.approved-by: package-maintainer This PR was reviewed and approved by a maintainer listed in any of the changed packages. labels Jun 16, 2026
@gepbird gepbird force-pushed the drop/sublime4-openssl_1_1 branch from 147a2d2 to e0d52c6 Compare June 16, 2026 08:23
@gepbird

gepbird commented Jun 16, 2026

Copy link
Copy Markdown
Contributor Author

Actually, I wonder if we should perhaps mark the sublime4-dev broken as well to communicate it differs in functionality from upstream. Maybe something like

We have removed Python 3.3 package support ahead of upstream schedule but if you do not use any old packages, this should just work.

I wouldn't want to mark it broken since most of the editor is working, but it sounds like an important enough change to emit a warning, I'm not sure how well the plugin ecosystem migrated to newer python.

@gepbird gepbird force-pushed the drop/sublime4-openssl_1_1 branch from e0d52c6 to 897d5ea Compare June 16, 2026 08:33
"aarch64-linux"
"x86_64-linux"
];
problems.removal.message = "We have removed Python 3.3 package support ahead of upstream schedule but if you do not use any old packages, this should just work.";

Copy link
Copy Markdown
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This should be deprecated, but weirdly it doesn't emit a warning by default.
I'm pretty sure removal means that the package in nixpkgs will be removed soon and not that we have removed a feature of the package.

Suggested change
problems.removal.message = "We have removed Python 3.3 package support ahead of upstream schedule but if you do not use any old packages, this should just work.";
problems.deprecated.message = "We have removed Python 3.3 package support ahead of upstream schedule but if you do not use any old packages, this should just work.";

@gepbird gepbird Jun 16, 2026

Copy link
Copy Markdown
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think this is fine, the warning is not misleading:

warning: Package 'sublimetext4-4205' in /home/gep/nixpkgs/pkgs/applications/editors/sublime/4/common.nix:218 has the following problem: removal: We have removed Python 3.3 package support ahead of upstream schedule but if you do not use any old packages, this should just work. See https://nixos.org/manual/nixpkgs/unstable#sec-problems

Currently there's also meta.problems.maintainerless that also doesn't warn by default and fits even less for this use case, I wonder if it's worth adding something like meta.problems.modified for making modifications that are visible to users from upstream's distribution.

@gepbird

gepbird commented Jun 16, 2026

Copy link
Copy Markdown
Contributor Author

CI is failing because this package newly emits a warning that is intended, cc @NixOS/nixpkgs-ci

@MattSturgeon

MattSturgeon commented Jun 16, 2026

Copy link
Copy Markdown
Contributor

CI is failing because this package newly emits a warning that is intended, cc @NixOS/nixpkgs-ci

Indeed, CI is intentionally strict about not allowing eval warnings, as usually that means something is wrong in the "default" package set. That's the main reason why aliases.nix exists, to gate warnings behind config.allowAliases. See also Silvan's comment w.r.t. channel blockers: #523892 (review)

In this case you're running into #523712, which #523892 is attempting to fix by teaching stdenv and CI about meta.problems.

Comment thread pkgs/applications/editors/sublime/4/common.nix Outdated
@gepbird gepbird force-pushed the drop/sublime4-openssl_1_1 branch from 897d5ea to d6e3085 Compare June 19, 2026 10:47
Comment thread pkgs/applications/editors/sublime/4/common.nix Outdated

@MattSturgeon MattSturgeon left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Diff SGTM. The nitpicks don't necessarily need addressing, just LMK whether you plan to or not, so we know whether to wait before merging.

Comment thread pkgs/applications/editors/sublime/4/common.nix
$binary
done

echo '{"disable_plugin_host_3.3": true}' > Packages/Preferences.sublime-settings

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Same. I assume this is overwriting some default settings? It'd be nice to explain what and/or why.

Again from #531298 (comment), so cc @jtojnar for a wording suggestion

@nixpkgs-ci nixpkgs-ci Bot added 12.approvals: 2 This PR was reviewed and approved by two persons. and removed 12.approvals: 1 This PR was reviewed and approved by one person. labels Jun 23, 2026
Co-authored-by: Jan Tojnar <jtojnar@gmail.com>
@gepbird gepbird force-pushed the drop/sublime4-openssl_1_1 branch from d6e3085 to 76f58ee Compare June 23, 2026 23:37
@MattSturgeon MattSturgeon added this pull request to the merge queue Jun 24, 2026
Merged via the queue into NixOS:master with commit ee63e67 Jun 24, 2026
28 checks passed
@gepbird gepbird deleted the drop/sublime4-openssl_1_1 branch June 24, 2026 08:44
Rayzeq added a commit to Rayzeq/nixos-config that referenced this pull request Jul 5, 2026
Rayzeq added a commit to Rayzeq/nixos-config that referenced this pull request Jul 5, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

10.rebuild-darwin: 0 This PR does not cause any packages to rebuild on Darwin. 10.rebuild-linux: 1-10 This PR causes between 1 and 10 packages to rebuild on Linux. 10.rebuild-linux: 1 This PR causes 1 package to rebuild on Linux. 12.approvals: 2 This PR was reviewed and approved by two persons. 12.approved-by: package-maintainer This PR was reviewed and approved by a maintainer listed in any of the changed packages.

Projects

None yet

Development

Successfully merging this pull request may close these issues.

4 participants