Do allowed requisites check in stdenv/linux

Use the new allowedRequisites feature in stdenvLinux. This way we properly check that the end-result stdenv of the quite complicated multi-stage stdenvLinux building procedure is sane, and only depends on the stuff that we know about. Alternative would be to just disallowRequisites bootstrapTools, which is the most common offender, but we have had other offenders in the past. For these checks to actually fire, you currently have to use nixUnstable, as the necessary feature will be released in Nix 1.8.
2024-11-25 16:33:15 +00:00 · 2014-08-29 22:09:01 +02:00 · 2014-08-29 22:09:01 +02:00 · efcb00d002
commit efcb00d002
parent e6bf8a09ba
2 changed files with 21 additions and 13 deletions
--- a/pkgs/stdenv/generic/default.nix
+++ b/pkgs/stdenv/generic/default.nix
@ -1,7 +1,7 @@
 let lib = import ../../../lib; in lib.makeOverridable (

 { system, name ? "stdenv", preHook ? "", initialPath, gcc, shell
-, extraAttrs ? {}, overrides ? (pkgs: {}), config
+, allowedRequisites ? null, extraAttrs ? {}, overrides ? (pkgs: {}), config

 , # The `fetchurl' to use for downloading curl and its dependencies
  # (see all-packages.nix).
@ -117,8 +117,9 @@ let

  # The stdenv that we are producing.
  result =
-
-    derivation {
+    derivation (
+    (if isNull allowedRequisites then {} else { inherit allowedRequisites; }) //
+    {
      inherit system name;

      builder = shell;
@ -131,7 +132,7 @@ let

      propagatedUserEnvPkgs = [gcc] ++
        lib.filter lib.isDerivation initialPath;
-    }
+    })

    // rec {

--- a/pkgs/stdenv/linux/default.nix
+++ b/pkgs/stdenv/linux/default.nix
@ -192,7 +192,7 @@ rec {
      name = "bootstrap-gcc-wrapper";
    };
    overrides = pkgs: {
-      inherit (stage2.pkgs) binutils glibc perl patchelf;
+      inherit (stage2.pkgs) binutils glibc perl patchelf linuxHeaders;
      # Link GCC statically against GMP etc.  This makes sense because
      # these builds of the libraries are only used by GCC, so it
      # reduces the size of the stdenv closure.
@ -225,7 +225,14 @@ rec {
      # because gcc (since JAR support) already depends on zlib, and
      # then if we already have a zlib we want to use that for the
      # other purposes (binutils and top-level pkgs) too.
-      inherit (stage3.pkgs) gettext gnum4 gmp perl glibc zlib;
+      inherit (stage3.pkgs) gettext gnum4 gmp perl glibc zlib linuxHeaders;
+
+      gcc = (wrapGCC {
+        gcc = stage4.stdenv.gcc.gcc;
+        libc = stage4.pkgs.glibc;
+        inherit (stage4.pkgs) binutils coreutils;
+        name = "";
+      }).override { shell = stage4.pkgs.bash + "/bin/bash"; };
    };
    extraBuildInputs = [ stage3.pkgs.patchelf stage3.pkgs.xz ];
  };
@ -254,14 +261,9 @@ rec {

    extraBuildInputs = [ stage4.pkgs.patchelf stage4.pkgs.paxctl ];

-    shell = stage4.pkgs.bash + "/bin/bash";
+    gcc = stage4.pkgs.gcc;

-    gcc = (wrapGCC rec {
-      gcc = stage4.stdenv.gcc.gcc;
-      libc = stage4.pkgs.glibc;
-      inherit (stage4.pkgs) binutils coreutils;
-      name = "";
-    }).override { inherit shell; };
+    shell = gcc.shell;

    inherit (stage4.stdenv) fetchurlBoot;

@ -271,6 +273,11 @@ rec {
      shellPackage = stage4.pkgs.bash;
    };

+    allowedRequisites = with stage4.pkgs;
+      [ gzip bzip2 xz bash binutils coreutils diffutils findutils gawk
+        glibc gnumake gnused gnutar gnugrep gnupatch patchelf attr acl
+        paxctl zlib pcre linuxHeaders ed gcc gcc.gcc libsigsegv ];
+
    overrides = pkgs: {
      inherit gcc;
      inherit (stage4.pkgs)