stdenv/check-meta: add note for Flake usage

Flake users that use a command like `nix build nixpkgs#hello` on a
broken/insecure package will not be able to use an environment variable
to override that behavior, unless they pass `--impure` to the command.

Co-authored-by: pkharvey <kayharvey@protonmail.com>

1 files changed, 9 insertions, 2 deletions

diff --git a/pkgs/stdenv/generic/check-meta.nix b/pkgs/stdenv/generic/check-meta.nix
index 7a70accb723..44caa6838e8 100644
--- a/pkgs/stdenv/generic/check-meta.nix
+++ b/pkgs/stdenv/generic/check-meta.nix
@@ -119,13 +119,20 @@ let
         }
     '';
 
+    # flakeNote will be printed in the remediation messages below.
+    flakeNote = "
+ Note: For `nix shell`, `nix build`, `nix develop` or any other Nix 2.4+
+ (Flake) command, `--impure` must be passed in order to read this
+ environment variable.
+    ";
+
   remediate_allowlist = allow_attr: rebuild_amendment: attrs:
     ''
       a) To temporarily allow ${remediation_phrase allow_attr}, you can use an environment variable
          for a single invocation of the nix tools.
 
            $ export ${remediation_env_var allow_attr}=1
-
+           ${flakeNote}
       b) For `nixos-rebuild` you can set
         { nixpkgs.config.allow${allow_attr} = true; }
       in configuration.nix to override this.
@@ -148,7 +155,7 @@ let
            variable for a single invocation of the nix tools:
 
              $ export NIXPKGS_ALLOW_INSECURE=1
-
+             ${flakeNote}
         b) for `nixos-rebuild` you can add ‘${getName attrs}’ to
            `nixpkgs.config.permittedInsecurePackages` in the configuration.nix,
            like so: