let lib = import ../../../lib; in lib.makeOverridable (
{ name ? "stdenv", preHook ? "", initialPath, cc, shell
, allowedRequisites ? null, extraAttrs ? {}, overrides ? (self: super: {}), config
, # The `fetchurl' to use for downloading curl and its dependencies
# (see all-packages.nix).
, setupScript ? ./setup.sh
, extraBuildInputs ? []
, __stdenvImpureHostDeps ? []
, __extraImpureHostDeps ? []
, stdenvSandboxProfile ? ""
, extraSandboxProfile ? ""
, # The platforms here do *not* correspond to the stage the stdenv is
# used in, but rather the previous one, in which it was built. We
# use the latter two platforms, like a cross compiler, because the
# stand environment is a build tool if you squint at it, and because
# neither of these are used when building stdenv so we know the
# build platform is irrelevant.
hostPlatform, targetPlatform
inherit (targetPlatform) system;
# See discussion at https://github.com/NixOS/nixpkgs/pull/25304#issuecomment-298385426
# for why this defaults to false, but I (@copumpkin) want to default it to true soon.
shouldCheckMeta = config.checkMeta or false;
allowUnfree = config.allowUnfree or false || builtins.getEnv "NIXPKGS_ALLOW_UNFREE" == "1";
whitelist = config.whitelistedLicenses or [];
blacklist = config.blacklistedLicenses or [];
ifDarwin = attrs: if system == "x86_64-darwin" then attrs else {};
onlyLicenses = list:
lib.lists.all (license:
let l = lib.licenses.${license.shortName or "BROKEN"} or false; in
if license == l then true else
throw ''${showLicense license} is not an attribute of lib.licenses''
) list;
mutuallyExclusive = a: b:
(builtins.length a) == 0 ||
(!(builtins.elem (builtins.head a) b) &&
mutuallyExclusive (builtins.tail a) b);
areLicenseListsValid =
if mutuallyExclusive whitelist blacklist then
assert onlyLicenses whitelist; assert onlyLicenses blacklist; true
throw "whitelistedLicenses and blacklistedLicenses are not mutually exclusive.";
hasLicense = attrs:
attrs ? meta.license;
hasWhitelistedLicense = assert areLicenseListsValid; attrs:
hasLicense attrs && builtins.elem attrs.meta.license whitelist;
hasBlacklistedLicense = assert areLicenseListsValid; attrs:
hasLicense attrs && builtins.elem attrs.meta.license blacklist;
allowBroken = config.allowBroken or false || builtins.getEnv "NIXPKGS_ALLOW_BROKEN" == "1";
isUnfree = licenses: lib.lists.any (l:
!l.free or true || l == "unfree" || l == "unfree-redistributable") licenses;
# Alow granular checks to allow only some unfree packages
# Example:
# {pkgs, ...}:
# {
# allowUnfree = false;
# allowUnfreePredicate = (x: pkgs.lib.hasPrefix "flashplayer-" x.name);
# }
allowUnfreePredicate = config.allowUnfreePredicate or (x: false);
# Check whether unfree packages are allowed and if not, whether the
# package has an unfree license and is not explicitely allowed by the
# `allowUNfreePredicate` function.
hasDeniedUnfreeLicense = attrs:
!allowUnfree &&
hasLicense attrs &&
isUnfree (lib.lists.toList attrs.meta.license) &&
!allowUnfreePredicate attrs;
allowInsecureDefaultPredicate = x: builtins.elem x.name (config.permittedInsecurePackages or []);
allowInsecurePredicate = x: (config.allowUnfreePredicate or allowInsecureDefaultPredicate) x;
hasAllowedInsecure = attrs:
(attrs.meta.knownVulnerabilities or []) == [] ||
allowInsecurePredicate attrs ||
builtins.getEnv "NIXPKGS_ALLOW_INSECURE" == "1";
showLicense = license: license.shortName or "unknown";
defaultNativeBuildInputs = extraBuildInputs ++
[ ../../build-support/setup-hooks/move-docs.sh
# FIXME this on Darwin; see
# https://github.com/NixOS/nixpkgs/commit/94d164dd7#commitcomment-22030369
++ lib.optional result.isLinux ../../build-support/setup-hooks/audit-tmpdir.sh
++ [
# `mkDerivation` wraps the builtin `derivation` function to
# produce derivations that use this stdenv and its shell.
# See also:
# * https://nixos.org/nixpkgs/manual/#sec-using-stdenv
# Details on how to use this mkDerivation function
# * https://nixos.org/nix/manual/#ssec-derivation
# Explanation about derivations in general
mkDerivation =
{ buildInputs ? []
, nativeBuildInputs ? []
, propagatedBuildInputs ? []
, propagatedNativeBuildInputs ? []
, crossConfig ? null
, meta ? {}
, passthru ? {}
, pos ? null # position used in error messages and for meta.position
, separateDebugInfo ? false
, outputs ? [ "out" ]
, __impureHostDeps ? []
, __propagatedImpureHostDeps ? []
, sandboxProfile ? ""
, propagatedSandboxProfile ? ""
, ... } @ attrs:
let # Rename argumemnts to avoid cycles
buildInputs__ = buildInputs;
nativeBuildInputs__ = nativeBuildInputs;
propagatedBuildInputs__ = propagatedBuildInputs;
propagatedNativeBuildInputs__ = propagatedNativeBuildInputs;
in let
getNativeDrv = drv: drv.nativeDrv or drv;
getCrossDrv = drv: drv.crossDrv or drv;
nativeBuildInputs = map getNativeDrv nativeBuildInputs__;
buildInputs = map getCrossDrv buildInputs__;
propagatedBuildInputs = map getCrossDrv propagatedBuildInputs__;
propagatedNativeBuildInputs = map getNativeDrv propagatedNativeBuildInputs__;
in let
pos' =
if pos != null then
else if attrs.meta.description or null != null then
builtins.unsafeGetAttrPos "description" attrs.meta
builtins.unsafeGetAttrPos "name" attrs;
pos'' = if pos' != null then "" + pos'.file + ":" + toString pos'.line + "" else "«unknown-file»";
remediation = {
unfree = remediate_whitelist "Unfree";
broken = remediate_whitelist "Broken";
blacklisted = x: "";
insecure = remediate_insecure;
unknown-meta = x: "";
remediate_whitelist = allow_attr: attrs:
a) For `nixos-rebuild` you can set
{ nixpkgs.config.allow${allow_attr} = true; }
in configuration.nix to override this.
b) For `nix-env`, `nix-build`, `nix-shell` or any other Nix command you can add
{ allow${allow_attr} = true; }
to ~/.config/nixpkgs/config.nix.
remediate_insecure = attrs:
Known issues:
'' + (lib.fold (issue: default: "${default} - ${issue}\n") "" attrs.meta.knownVulnerabilities) + ''
You can install it anyway by whitelisting this package, using the
following methods:
a) for `nixos-rebuild` you can add ${attrs.name or "«name-missing»"} to
`nixpkgs.config.permittedInsecurePackages` in the configuration.nix,
like so:
nixpkgs.config.permittedInsecurePackages = [
"${attrs.name or "«name-missing»"}"
b) For `nix-env`, `nix-build`, `nix-shell` or any other Nix command you can add
${attrs.name or "«name-missing»"} to `permittedInsecurePackages` in
~/.config/nixpkgs/config.nix, like so:
permittedInsecurePackages = [
"${attrs.name or "«name-missing»"}"
throwEvalHelp = { reason , errormsg ? "" }:
throw (''
Package ${attrs.name or "«name-missing»"} in ${pos''} ${errormsg}, refusing to evaluate.
'' + ((builtins.getAttr reason remediation) attrs));
metaTypes = with lib.types; rec {
# These keys are documented
description = str;
longDescription = str;
branch = str;
homepage = str;
downloadPage = str;
license = either (listOf lib.types.attrs) (either lib.types.attrs str);
maintainers = listOf str;
priority = int;
platforms = listOf str;
hydraPlatforms = listOf str;
broken = bool;
# Weirder stuff that doesn't appear in the documentation?
version = str;
tag = str;
updateWalker = bool;
executables = listOf str;
outputsToInstall = listOf str;
position = str;
repositories = attrsOf str;
isBuildPythonPackage = platforms;
schedulingPriority = str;
downloadURLRegexp = str;
isFcitxEngine = bool;
isIbusEngine = bool;
checkMetaAttr = k: v:
if metaTypes?${k} then
if metaTypes.${k}.check v then null else "key '${k}' has a value ${v} of an invalid type ${builtins.typeOf v}; expected ${metaTypes.${k}.description}"
else "key '${k}' is unrecognized; expected one of: \n\t [${lib.concatMapStringsSep ", " (x: "'${x}'") (lib.attrNames metaTypes)}]";
checkMeta = meta: if shouldCheckMeta then lib.remove null (lib.mapAttrsToList checkMetaAttr meta) else [];
# Check if a derivation is valid, that is whether it passes checks for
# e.g brokenness or license.
# Return { valid: Bool } and additionally
# { reason: String; errormsg: String } if it is not valid, where
# reason is one of "unfree", "blacklisted" or "broken".
checkValidity = attrs:
if hasDeniedUnfreeLicense attrs && !(hasWhitelistedLicense attrs) then
{ valid = false; reason = "unfree"; errormsg = "has an unfree license (${showLicense attrs.meta.license})"; }
else if hasBlacklistedLicense attrs then
{ valid = false; reason = "blacklisted"; errormsg = "has a blacklisted license (${showLicense attrs.meta.license})"; }
else if !allowBroken && attrs.meta.broken or false then
{ valid = false; reason = "broken"; errormsg = "is marked as broken"; }
else if !allowBroken && attrs.meta.platforms or null != null && !lib.lists.elem result.system attrs.meta.platforms then
{ valid = false; reason = "broken"; errormsg = "is not supported on ${result.system}"; }
else if !(hasAllowedInsecure attrs) then
{ valid = false; reason = "insecure"; errormsg = "is marked as insecure"; }
else let res = checkMeta (attrs.meta or {}); in if res != [] then
{ valid = false; reason = "unknown-meta"; errormsg = "has an invalid meta attrset:${lib.concatMapStrings (x: "\n\t - " + x) res}"; }
else { valid = true; };
outputs' =
outputs ++
(if separateDebugInfo then assert targetPlatform.isLinux; [ "debug" ] else []);
buildInputs' = lib.chooseDevOutputs buildInputs ++
(if separateDebugInfo then [ ../../build-support/setup-hooks/separate-debug-info.sh ] else []);
nativeBuildInputs' = lib.chooseDevOutputs nativeBuildInputs;
propagatedBuildInputs' = lib.chooseDevOutputs propagatedBuildInputs;
propagatedNativeBuildInputs' = lib.chooseDevOutputs propagatedNativeBuildInputs;
# Throw an error if trying to evaluate an non-valid derivation
assert let v = checkValidity attrs;
in if !v.valid
then throwEvalHelp (removeAttrs v ["valid"])
else true;
lib.addPassthru (derivation (
(removeAttrs attrs
["meta" "passthru" "crossAttrs" "pos"
"__impureHostDeps" "__propagatedImpureHostDeps"
"sandboxProfile" "propagatedSandboxProfile"])
// (let
computedSandboxProfile =
lib.concatMap (input: input.__propagatedSandboxProfile or []) (extraBuildInputs ++ buildInputs' ++ nativeBuildInputs');
computedPropagatedSandboxProfile =
lib.concatMap (input: input.__propagatedSandboxProfile or []) (propagatedBuildInputs' ++ propagatedNativeBuildInputs');
computedImpureHostDeps =
lib.unique (lib.concatMap (input: input.__propagatedImpureHostDeps or []) (extraBuildInputs ++ buildInputs' ++ nativeBuildInputs'));
computedPropagatedImpureHostDeps =
lib.unique (lib.concatMap (input: input.__propagatedImpureHostDeps or []) (propagatedBuildInputs' ++ propagatedNativeBuildInputs'));
builder = attrs.realBuilder or shell;
args = attrs.args or ["-e" (attrs.builder or ./default-builder.sh)];
stdenv = result;
system = result.system;
userHook = config.stdenv.userHook or null;
__ignoreNulls = true;
# Inputs built by the cross compiler.
buildInputs = buildInputs';
propagatedBuildInputs = propagatedBuildInputs';
# Inputs built by the usual native compiler.
nativeBuildInputs = nativeBuildInputs'
++ lib.optional
|| (crossConfig != null && lib.hasSuffix "mingw32" crossConfig))
propagatedNativeBuildInputs = propagatedNativeBuildInputs';
} // ifDarwin {
# TODO: remove lib.unique once nix has a list canonicalization primitive
__sandboxProfile =
let profiles = [ extraSandboxProfile ] ++ computedSandboxProfile ++ computedPropagatedSandboxProfile ++ [ propagatedSandboxProfile sandboxProfile ];
final = lib.concatStringsSep "\n" (lib.filter (x: x != "") (lib.unique profiles));
in final;
__propagatedSandboxProfile = lib.unique (computedPropagatedSandboxProfile ++ [ propagatedSandboxProfile ]);
__impureHostDeps = computedImpureHostDeps ++ computedPropagatedImpureHostDeps ++ __propagatedImpureHostDeps ++ __impureHostDeps ++ __extraImpureHostDeps ++ [
__propagatedImpureHostDeps = computedPropagatedImpureHostDeps ++ __propagatedImpureHostDeps;
} // (if outputs' != [ "out" ] then {
outputs = outputs';
} else { })))) (
overrideAttrs = f: mkDerivation (attrs // (f attrs));
# The meta attribute is passed in the resulting attribute set,
# but it's not part of the actual derivation, i.e., it's not
# passed to the builder and is not a dependency. But since we
# include it in the result, it *is* available to nix-env for queries.
meta = { }
# If the packager hasn't specified `outputsToInstall`, choose a default,
# which is the name of `p.bin or p.out or p`;
# if he has specified it, it will be overridden below in `// meta`.
# Note: This default probably shouldn't be globally configurable.
# Services and users should specify outputs explicitly,
# unless they are comfortable with this default.
// { outputsToInstall =
outs = outputs'; # the value passed to derivation primitive
hasOutput = out: builtins.elem out outs;
in [( lib.findFirst hasOutput null (["bin" "out"] ++ outs) )];
// meta
# Fill `meta.position` to identify the source location of the package.
// lib.optionalAttrs (pos' != null)
{ position = pos'.file + ":" + toString pos'.line; }
inherit passthru;
} //
# Pass through extra attributes that are not inputs, but
# should be made available to Nix expressions using the
# derivation (e.g., in assertions).
# The stdenv that we are producing.
result =
derivation (
(if isNull allowedRequisites then {} else { allowedRequisites = allowedRequisites ++ defaultNativeBuildInputs; }) //
inherit system name;
builder = shell;
args = ["-e" ./builder.sh];
setup = setupScript;
inherit preHook initialPath shell defaultNativeBuildInputs;
// ifDarwin {
__sandboxProfile = stdenvSandboxProfile;
__impureHostDeps = __stdenvImpureHostDeps;
// rec {
meta = {
description = "The default build environment for Unix packages in Nixpkgs";
platforms = lib.platforms.all;
# Utility flags to test the type of platform.
inherit (hostPlatform)
isDarwin isLinux isSunOS isHurd isCygwin isFreeBSD isOpenBSD
isi686 isx86_64 is64bit isMips isBigEndian;
isArm = hostPlatform.isArm32;
isAarch64 = hostPlatform.isArm64;
# Whether we should run paxctl to pax-mark binaries.
needsPax = isLinux;
inherit mkDerivation;
# For convenience, bring in the library functions in lib/ so
# packages don't have to do that themselves.
inherit lib;
inherit fetchurlBoot;
inherit overrides;
inherit cc;
# Propagate any extra attributes. For instance, we use this to
# "lift" packages like curl from the final stdenv for Linux to
# all-packages.nix for that platform (meaning that it has a line
# like curl = if stdenv ? curl then stdenv.curl else ...).
// extraAttrs;
in result)