make-derivation: add disallowedReferences in strictDeps

When strictDeps = true, we don’t want native build inputs to end up in
the output. For instance gcc is a builtin native build input and
should only show up in an output if it is also listed in buildInputs.

/cc @ericson2314

1 files changed, 16 insertions, 0 deletions

diff --git a/pkgs/stdenv/generic/make-derivation.nix b/pkgs/stdenv/generic/make-derivation.nix
index e06faed30a1e..08a914787c35 100644
--- a/pkgs/stdenv/generic/make-derivation.nix
+++ b/pkgs/stdenv/generic/make-derivation.nix
@@ -226,6 +226,22 @@ rec {
           inherit doCheck doInstallCheck;
 
           inherit outputs;
+        } // lib.optionalAttrs strictDeps {
+          # Make sure "build" dependencies don’t leak into outputs. We
+          # want to disallow references to depsBuildBuild,
+          # nativeBuildInputs, and depsBuildTarget. But depsHostHost,
+          # buildInputs, and depsTargetTarget is okay, so we subtract
+          # those from disallowedReferences in case a dependency is
+          # listed in multiple dependency lists. We also include
+          # propagated dependencies here as well.
+          disallowedReferences = (attrs.disallowedReferences or [])
+          ++ (lib.subtractLists
+              (lib.concatLists ( (lib.elemAt propagatedDependencies 1) ++
+                                 (lib.elemAt dependencies 1) ++
+                                 (lib.elemAt propagatedDependencies 2) ++
+                                 (lib.elemAt dependencies 2) ) )
+              (lib.concatLists ( (lib.elemAt propagatedDependencies 0) ++
+                                 (lib.elemAt dependencies 0) ) ) );
         } // lib.optionalAttrs (stdenv.hostPlatform != stdenv.buildPlatform) {
           cmakeFlags =
             (/**/ if lib.isString cmakeFlags then [cmakeFlags]