From 14f812aeef754760e7b1f87f7b7c9a887cbf7765 Mon Sep 17 00:00:00 2001
From: Profpatsch <mail@profpatsch.de>
Date: Sat, 19 Oct 2019 16:26:18 +0200
Subject: [PATCH] skawarePackages.skalibs: empty default path
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

If `PATH` is unset, the exec wrappers in skalibs set a default path to
`/usr/bin:bin`.

This has very unfortunate effects when you e.g. try to run tests on CI
in an empty environment (minus tools explicitely provided by nix with
absolute store paths), because suddenly binaries from outside are
picked up again, especially on non-NixOS.
Even on NixOS, /bin/sh provides another escape hatch if it’s available
from PATH. But on systems like Ubuntu or MacOS (which most CI systems
run on), this picks up all the non-nix binaries.
---
 pkgs/development/libraries/skalibs/default.nix | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/pkgs/development/libraries/skalibs/default.nix b/pkgs/development/libraries/skalibs/default.nix
index 474073f30e41..e5443c5d53a0 100644
--- a/pkgs/development/libraries/skalibs/default.nix
+++ b/pkgs/development/libraries/skalibs/default.nix
@@ -18,6 +18,9 @@ buildPackage {
     "--dynlibdir=\${lib}/lib"
     "--includedir=\${dev}/include"
     "--sysdepdir=\${lib}/lib/skalibs/sysdeps"
+    # Empty the default path, which would be "/usr/bin:bin".
+    # It would be set when PATH is empty. This hurts hermeticity.
+    "--with-default-path="
   ];
 
   postInstall = ''