From 8dbfb61e4617050917ce6bb7c5f4efc902c2a36c Mon Sep 17 00:00:00 2001 From: Matthew Bauer Date: Mon, 29 Oct 2018 13:33:42 -0500 Subject: [PATCH] make-derivation: add disallowedReferences in strictDeps MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit When strictDeps = true, we don’t want native build inputs to end up in the output. For instance gcc is a builtin native build input and should only show up in an output if it is also listed in buildInputs. /cc @ericson2314 --- pkgs/stdenv/generic/make-derivation.nix | 16 ++++++++++++++++ 1 file changed, 16 insertions(+) diff --git a/pkgs/stdenv/generic/make-derivation.nix b/pkgs/stdenv/generic/make-derivation.nix index e06faed30a1ea..08a914787c351 100644 --- a/pkgs/stdenv/generic/make-derivation.nix +++ b/pkgs/stdenv/generic/make-derivation.nix @@ -226,6 +226,22 @@ rec { inherit doCheck doInstallCheck; inherit outputs; + } // lib.optionalAttrs strictDeps { + # Make sure "build" dependencies don’t leak into outputs. We + # want to disallow references to depsBuildBuild, + # nativeBuildInputs, and depsBuildTarget. But depsHostHost, + # buildInputs, and depsTargetTarget is okay, so we subtract + # those from disallowedReferences in case a dependency is + # listed in multiple dependency lists. We also include + # propagated dependencies here as well. + disallowedReferences = (attrs.disallowedReferences or []) + ++ (lib.subtractLists + (lib.concatLists ( (lib.elemAt propagatedDependencies 1) ++ + (lib.elemAt dependencies 1) ++ + (lib.elemAt propagatedDependencies 2) ++ + (lib.elemAt dependencies 2) ) ) + (lib.concatLists ( (lib.elemAt propagatedDependencies 0) ++ + (lib.elemAt dependencies 0) ) ) ); } // lib.optionalAttrs (stdenv.hostPlatform != stdenv.buildPlatform) { cmakeFlags = (/**/ if lib.isString cmakeFlags then [cmakeFlags]