summary refs log tree commit diff
path: root/pkgs/development/libraries/skalibs
diff options
context:
space:
mode:
authorProfpatsch <mail@profpatsch.de>2019-10-19 16:26:18 +0200
committerProfpatsch <mail@profpatsch.de>2019-10-29 14:28:53 +0100
commit14f812aeef754760e7b1f87f7b7c9a887cbf7765 (patch)
tree7e49a49ded7e64218a0cd86c0b40e7229c56e275 /pkgs/development/libraries/skalibs
parentfc6d1e0ebf7838750b5cc7e7ce623879e55e5bf3 (diff)
downloadnixpkgs-14f812aeef754760e7b1f87f7b7c9a887cbf7765.tar
nixpkgs-14f812aeef754760e7b1f87f7b7c9a887cbf7765.tar.gz
nixpkgs-14f812aeef754760e7b1f87f7b7c9a887cbf7765.tar.bz2
nixpkgs-14f812aeef754760e7b1f87f7b7c9a887cbf7765.tar.lz
nixpkgs-14f812aeef754760e7b1f87f7b7c9a887cbf7765.tar.xz
nixpkgs-14f812aeef754760e7b1f87f7b7c9a887cbf7765.tar.zst
nixpkgs-14f812aeef754760e7b1f87f7b7c9a887cbf7765.zip
skawarePackages.skalibs: empty default path
If `PATH` is unset, the exec wrappers in skalibs set a default path to
`/usr/bin:bin`.

This has very unfortunate effects when you e.g. try to run tests on CI
in an empty environment (minus tools explicitely provided by nix with
absolute store paths), because suddenly binaries from outside are
picked up again, especially on non-NixOS.
Even on NixOS, /bin/sh provides another escape hatch if it’s available
from PATH. But on systems like Ubuntu or MacOS (which most CI systems
run on), this picks up all the non-nix binaries.
Diffstat (limited to 'pkgs/development/libraries/skalibs')
-rw-r--r--pkgs/development/libraries/skalibs/default.nix3
1 files changed, 3 insertions, 0 deletions
diff --git a/pkgs/development/libraries/skalibs/default.nix b/pkgs/development/libraries/skalibs/default.nix
index 474073f30e4..e5443c5d53a 100644
--- a/pkgs/development/libraries/skalibs/default.nix
+++ b/pkgs/development/libraries/skalibs/default.nix
@@ -18,6 +18,9 @@ buildPackage {
     "--dynlibdir=\${lib}/lib"
     "--includedir=\${dev}/include"
     "--sysdepdir=\${lib}/lib/skalibs/sysdeps"
+    # Empty the default path, which would be "/usr/bin:bin".
+    # It would be set when PATH is empty. This hurts hermeticity.
+    "--with-default-path="
   ];
 
   postInstall = ''
generated by cgit-pink 1.4.1 (git 2.36.1) at 2024-05-05 00:44:51 +0000