make-derivation: add disallowedReferences in strictDeps

When strictDeps = true, we don’t want native build inputs to end up in the output. For instance gcc is a builtin native build input and should only show up in an output if it is also listed in buildInputs. /cc @Ericson2314
NixOS · Nov 3, 2018 · 8dbfb61 · 8dbfb61 · nixos-discourse · Nov 18, 2018
1 parent a423464
commit 8dbfb61
Showing 1 changed file with 16 additions and 0 deletions.
diff --git a/pkgs/stdenv/generic/make-derivation.nix b/pkgs/stdenv/generic/make-derivation.nix
@@ -226,6 +226,22 @@ rec {
           inherit doCheck doInstallCheck;
 
           inherit outputs;
+        } // lib.optionalAttrs strictDeps {
+          # Make sure "build" dependencies don’t leak into outputs. We
+          # want to disallow references to depsBuildBuild,
+          # nativeBuildInputs, and depsBuildTarget. But depsHostHost,
+          # buildInputs, and depsTargetTarget is okay, so we subtract
+          # those from disallowedReferences in case a dependency is
+          # listed in multiple dependency lists. We also include
+          # propagated dependencies here as well.
+          disallowedReferences = (attrs.disallowedReferences or [])
+          ++ (lib.subtractLists
+              (lib.concatLists ( (lib.elemAt propagatedDependencies 1) ++
+                                 (lib.elemAt dependencies 1) ++
+                                 (lib.elemAt propagatedDependencies 2) ++
+                                 (lib.elemAt dependencies 2) ) )
+              (lib.concatLists ( (lib.elemAt propagatedDependencies 0) ++
+                                 (lib.elemAt dependencies 0) ) ) );
         } // lib.optionalAttrs (stdenv.hostPlatform != stdenv.buildPlatform) {
           cmakeFlags =
             (/**/ if lib.isString cmakeFlags then [cmakeFlags]