nixpkgs implicit global configuration file is an hidden source of non reproducibility

[guibou]

Issue description

Implicitly, when we import a nixpkgs clone, using nixpkgs = import (tarballOfNixpkgs) {} and without providing a config or overlays attribute, nixpkgs implicitly loads a global configuration file. See:

nixpkgs/pkgs/top-level/impure.nix

Lines 29 to 73 in fc27772

	config ? let
	configFile = getEnv "NIXPKGS_CONFIG";
	configFile2 = homeDir + "/.config/nixpkgs/config.nix";
	configFile3 = homeDir + "/.nixpkgs/config.nix"; # obsolete
	in
	if configFile != "" && pathExists configFile then import configFile
	else if homeDir != "" && pathExists configFile2 then import configFile2
	else if homeDir != "" && pathExists configFile3 then import configFile3
	else {}
	, # Overlays are used to extend Nixpkgs collection with additional
	# collections of packages. These collection of packages are part of the
	# fix-point made by Nixpkgs.
	overlays ? let
	isDir = path: pathExists (path + "/.");
	pathOverlays = try (toString <nixpkgs-overlays>) "";
	homeOverlaysFile = homeDir + "/.config/nixpkgs/overlays.nix";
	homeOverlaysDir = homeDir + "/.config/nixpkgs/overlays";
	overlays = path:
	# check if the path is a directory or a file
	if isDir path then
	# it's a directory, so the set of overlays from the directory, ordered lexicographically
	let content = readDir path; in
	map (n: import (path + ("/" + n)))
	(builtins.filter (n: builtins.match ".*\\.nix" n != null || pathExists (path + ("/" + n + "/default.nix")))
	(attrNames content))
	else
	# it's a file, so the result is the contents of the file itself
	import path;
	in
	if pathOverlays != "" && pathExists pathOverlays then overlays pathOverlays
	else if pathExists homeOverlaysFile && pathExists homeOverlaysDir then
	throw ''
	Nixpkgs overlays can be specified with ${homeOverlaysFile} or ${homeOverlaysDir}, but not both.
	Please remove one of them and try again.
	''
	else if pathExists homeOverlaysFile then
	if isDir homeOverlaysFile then
	throw (homeOverlaysFile + " should be a file")
	else overlays homeOverlaysFile
	else if pathExists homeOverlaysDir then
	if !(isDir homeOverlaysDir) then
	throw (homeOverlaysDir + " should be a directory")
	else overlays homeOverlaysDir
	else []

This can lead to hermeticity issues if the global configuration contains packageOverrides or some other settings which have an impact on the final build.

This behavior is enabled by default in nixpkgs.

I understand the reasons to get it by default when using the "global" <nixpkgs> package, for example when using nix-env -i or nix-shell in a directory without default.nix.

Could it be possible to insert a new attribute to nixpkgs, such as useGlobalConfiguration, which will default to false and will be overrode to true by tools such as nix-env or nix-shell in the right context?

[matthewbauer]

You can always set config = {} when instantiating Nixpkgs to override the default

[guibou]

@matthewbauer

Yes, you are right, it is possible to override config.

However that's still a problem of discoverability and safe defaults. By default it is non hermetic and it becomes hermetic if the user is aware of the problem and think about overriding the default behavior.

[edolstra]

The nix flakes branch changes the nix command to run in pure mode by default, making it impossible to depend on the Nixpkgs configuration file accidentally. (In pure mode, you can't access environment variables like HOME or read arbitrary files.)

[guibou]

The same is true for overlays setting which will be read from the global configuration file too. I updated my description accordingly.

[stale]

Thank you for your contributions.

This has been automatically marked as stale because it has had no activity for 180 days.

If this is still important to you, we ask that you leave a comment below. Your comment can be as simple as "still important to me". This lets people see that at least one person still cares about this. Someone will have to do this at most twice a year if there is no other activity.

Here are suggestions that might help resolve this more quickly:

1. Search for maintainers and people that previously touched the related code and @ mention them in a comment.
2. Ask on the NixOS Discourse.
3. Ask on the #nixos channel on irc.freenode.net.

[tomprince]

It would be nice to have a documented way of getting a pure evaluation, even when not using flakes. It looks like flakes currently does execute impure.nix, depending on the flake evaluation machinery to ensure that it is in fact pure; which I suspect doesn't work with flake-compat.

This could just be importing pkgs/top-level (if that was documented, and guaranteed to keep working). I'd prefer it not be passing {config = {}; overlays = [];} as it seems likely that the set of things needing to be passed could increase in the future.

[stale]

I marked this as stale due to inactivity. → More info