Using Nix for static Rust binaries (repro-env)

kpcyrd kpcyrd at archlinux.org
Sun Apr 19 22:46:06 UTC 2026 

Dear list,

about 3 years ago I wrote and released repro-env[0], which I use to attach a 
documented build environment to my pre-compiled release binaries, as well as my 
3rd party apt repository that I run.

[0]: https://github.com/kpcyrd/repro-env

You can obviously use repro-env to compile a static repro-env binary 
(bootstrapped through any recent Rust compiler), but I figured it's probably 
also good style to allow building a statically linked binary through nix.

I needed to update my flake.lock and things broke now, that I struggle to fix - 
this is my error:

--- 8< ---

error: Cannot build 
'/nix/store/sz2ql05irqgsm59zxhnb4q48m0lnv86v-repro-env-0.4.3.drv'.
        Reason: builder failed with exit code 101.
        Output paths:
          /nix/store/9dk8x5z9vx8ss8vx9h7jamm7fll1j55i-repro-env-0.4.3
        Last 25 log lines:
        > 
/nix/store/z3za8hfc24wb117s50p8b10agjkgm039-binutils-2.44/bin/ld: 
bcm.c:(.text.pkey_rsa_ctrl_str+0x24d): undefined reference to `__isoc23_strtol'
        > 
/nix/store/z3za8hfc24wb117s50p8b10agjkgm039-binutils-2.44/bin/ld: 
/build/source/target/x86_64-unknown-linux-musl/release/deps/libaws_lc_sys-645044d4f78209d0.rlib(f8e4fd781484bd36-bcm.o): 
in function `aws_lc_0_40_0_Keccak1600_Absorb_once_x4.part.0':
        > 
bcm.c:(.text.aws_lc_0_40_0_Keccak1600_Absorb_once_x4.part.0+0x2b3): undefined 
reference to `__memcpy_chk'
        > 
/nix/store/z3za8hfc24wb117s50p8b10agjkgm039-binutils-2.44/bin/ld: 
bcm.c:(.text.aws_lc_0_40_0_Keccak1600_Absorb_once_x4.part.0+0x2cd): undefined 
reference to `__memcpy_chk'
        > 
/nix/store/z3za8hfc24wb117s50p8b10agjkgm039-binutils-2.44/bin/ld: 
bcm.c:(.text.aws_lc_0_40_0_Keccak1600_Absorb_once_x4.part.0+0x2e7): undefined 
reference to `__memcpy_chk'
        > 
/nix/store/z3za8hfc24wb117s50p8b10agjkgm039-binutils-2.44/bin/ld: 
bcm.c:(.text.aws_lc_0_40_0_Keccak1600_Absorb_once_x4.part.0+0x2fe): undefined 
reference to `__memcpy_chk'
        > 
/nix/store/z3za8hfc24wb117s50p8b10agjkgm039-binutils-2.44/bin/ld: 
/build/source/target/x86_64-unknown-linux-musl/release/deps/libaws_lc_sys-645044d4f78209d0.rlib(7bf3e571b6558a6b-urandom.o): 
in function `ensure_entropy_state_is_initd_once':
        >           urandom.c:(.text.ensure_entropy_state_is_initd_once+0x65): 
undefined reference to `__fprintf_chk'
        > 
/nix/store/z3za8hfc24wb117s50p8b10agjkgm039-binutils-2.44/bin/ld: 
urandom.c:(.text.ensure_entropy_state_is_initd_once+0x183): undefined reference 
to `__fprintf_chk'
        > 
/nix/store/z3za8hfc24wb117s50p8b10agjkgm039-binutils-2.44/bin/ld: 
urandom.c:(.text.ensure_entropy_state_is_initd_once+0x1fc): undefined reference 
to `__fprintf_chk'
        > 
/nix/store/z3za8hfc24wb117s50p8b10agjkgm039-binutils-2.44/bin/ld: 
/build/source/target/x86_64-unknown-linux-musl/release/deps/libaws_lc_sys-645044d4f78209d0.rlib(fb1f39df2ea6f08f-dsa.o): 
in function `aws_lc_0_40_0_dsa_internal_paramgen':
        >           dsa.c:(.text.aws_lc_0_40_0_dsa_internal_paramgen+0x20c): 
undefined reference to `__memcpy_chk'
        > 
/nix/store/z3za8hfc24wb117s50p8b10agjkgm039-binutils-2.44/bin/ld: 
dsa.c:(.text.aws_lc_0_40_0_dsa_internal_paramgen+0x220): undefined reference to 
`__memcpy_chk'
        > 
/nix/store/z3za8hfc24wb117s50p8b10agjkgm039-binutils-2.44/bin/ld: 
dsa.c:(.text.aws_lc_0_40_0_dsa_internal_paramgen+0x76f): undefined reference to 
`__memcpy_chk'
        > 
/nix/store/z3za8hfc24wb117s50p8b10agjkgm039-binutils-2.44/bin/ld: 
/build/source/target/x86_64-unknown-linux-musl/release/deps/libaws_lc_sys-645044d4f78209d0.rlib(30a9a10d3f98970e-mem.o): 
in function `aws_lc_0_40_0_OPENSSL_vasprintf_internal':
        >           mem.c:(.text.aws_lc_0_40_0_OPENSSL_vasprintf_internal+0x89): 
undefined reference to `__vsnprintf_chk'
        > 
/nix/store/z3za8hfc24wb117s50p8b10agjkgm039-binutils-2.44/bin/ld: 
mem.c:(.text.aws_lc_0_40_0_OPENSSL_vasprintf_internal+0xd1): undefined reference 
to `__vsnprintf_chk'
        >           collect2: error: ld returned 1 exit status
        >
        >   = note: some `extern` functions couldn't be found; some native 
libraries may need to be installed or have their path specified
        >   = note: use the `-l` flag to specify native libraries to link
        >   = note: use the `cargo:rustc-link-lib` directive to specify the 
native libraries to link with Cargo (see 
https://doc.rust-lang.org/cargo/reference/build-scripts.html#rustc-link-lib)
        >
        >
        > [naersk] cargo returned with exit code 101, exiting
        For full logs, run:
          nix log /nix/store/sz2ql05irqgsm59zxhnb4q48m0lnv86v-repro-env-0.4.3.drv

--- >8 ---

I assume it's explicitly because I'm trying to opt-out of dynamic linking, so 
nix is only used as a build tool, but not needed as a runtime dependency.

The static binary still compiles fine in `repro-env`, which is using an Arch 
Linux SBOM to setup the build environment, source code and build instructions 
are identical.

Rolling back to `e30fa224d0bb4dc1ae8463cbdb4c4e92c92d3ca3` from the repro-env 
repository makes both build tools succeed again, which undoes the reqwest 0.13 
update that changed the cryptographic backend for rustls from ring to aws-lc.

I know aws-lc is using cmake internally, maybe this breaks the static compile?

My flake.nix can be found here, I assume it's a problem in fenix/naersk/nixpkgs 
interoperability:

https://github.com/kpcyrd/repro-env/blob/5e818c9e3b44bfc41ed61f99d49688f18e7393d4/flake.nix

Help/input very welcome.

More information about the rb-general mailing list