From 9e8cd72ec1f4c68b47676f0b71bc3d6532316869 Mon Sep 17 00:00:00 2001
From: Guillaume Bouchard <guillaume.bouchard@tweag.io>
Date: Sun, 2 Jun 2019 15:43:59 +0200
Subject: [PATCH] Disable implicit nixpkgs config file

*This is a breaking change*

By default, nixpkgs will read a global configuration file, by default
`~/.config/nixpkgs/config.nix`. This leads to reproducibility issues
if the configuration is different between users of the repository.

Users  of `nixpkgs_packages` must set the `nix_file_deps` argument
with all the files used by the nix process.

We were previously accepting a global nixpkgs configuration file as
implicit dependency, but this commit now disallow that. User must
explicitly set its own nixpkgs configuration, such as:

```
import nixpkgs_path { config = {}; };
```
---
 WORKSPACE           | 6 +++---
 nixpkgs/nixpkgs.bzl | 9 +++++----
 shell.nix           | 2 +-
 tests/hello.nix     | 2 +-
 tests/nixpkgs.nix   | 2 +-
 tests/output.nix    | 2 +-
 6 files changed, 12 insertions(+), 11 deletions(-)

diff --git a/WORKSPACE b/WORKSPACE
index 02db2503..e92fcd1e 100644
--- a/WORKSPACE
+++ b/WORKSPACE
@@ -36,7 +36,7 @@ nixpkgs_package(
 
 nixpkgs_package(
     name = "expr-test",
-    nix_file_content = "let pkgs = import <nixpkgs> {}; in pkgs.hello",
+    nix_file_content = "let pkgs = import <nixpkgs> { config = {}; }; in pkgs.hello",
     # Deliberately not @nixpkgs, to test whether explict file works.
     repositories = {"nixpkgs": "//:nixpkgs.nix"},
 )
@@ -50,7 +50,7 @@ nixpkgs_package(
 nixpkgs_package(
     name = "expr-attribute-test",
     attribute_path = "hello",
-    nix_file_content = "import <nixpkgs> {}",
+    nix_file_content = "import <nixpkgs> { config = {}; }",
     repository = "@nixpkgs",
 )
 
@@ -77,7 +77,7 @@ nixpkgs_package(
 nixpkgs_package(
     name = "extra-args-test",
     nix_file_content = """
-{ packagePath }: (import <nixpkgs> {}).${packagePath}
+{ packagePath }: (import <nixpkgs> { config = {}; }).${packagePath}
     """,
     repository = "@nixpkgs",
     nixopts = ["--argstr", "packagePath", "hello"],
diff --git a/nixpkgs/nixpkgs.bzl b/nixpkgs/nixpkgs.bzl
index 00785699..7543b72c 100644
--- a/nixpkgs/nixpkgs.bzl
+++ b/nixpkgs/nixpkgs.bzl
@@ -97,7 +97,7 @@ def _nixpkgs_package_impl(repository_ctx):
     elif not repositories:
         fail(strFailureImplicitNixpkgs)
     else:
-        expr_args = ["-E", "import <nixpkgs> {}"]
+        expr_args = ["-E", "import <nixpkgs> { config = {}; }"]
 
     _symlink_nix_file_deps(repository_ctx, repository_ctx.attr.nix_file_deps)
 
@@ -185,11 +185,9 @@ def _nixpkgs_package_impl(repository_ctx):
                 # We ignore some files:
                 # - Anything in /nix/store, they are not explicit dependencies are are supposed to be immutable
                 # - Anything from .cache/bazel, only case I encountered was a local nixpkgs clone handled by bazel
-                # - .config/nixpkgs. user configuration should not impact the reproducibility of the build
                 if (
                    not line[2].startswith("'/nix/store")
                    and ".cache/bazel" not in line[2]
-                   and ".config/nixpkgs" not in line[2]
                 ):
                     filename = line[2][1:-1] # trimming quotes
 
@@ -241,6 +239,9 @@ nix_file_deps = [
     "{deps_listing}",
 ]
 
+Note: if it points to the nixpkgs global configuration file, such as ~/.config/nixpkgs/config.nix. You must force nixpkgs to not use the local configuration, by providing a `config` argument to your nixpkgs import, such as:
+
+import (nixpkgs_path) {{ config = {{}}; }};
 """.format(repo_name = repository_ctx.name,
            deps_listing = '",\n    "'.join(deps_minus_declared_deps.keys())))
                 
@@ -371,7 +372,7 @@ def nixpkgs_cc_configure(
     """
     if not nix_file and not nix_file_content:
         nix_file_content = """
-          with import <nixpkgs> {}; buildEnv {
+          with import <nixpkgs> { config = {}; }; buildEnv {
             name = "bazel-cc-toolchain";
             paths = [ stdenv.cc binutils ];
           }
diff --git a/shell.nix b/shell.nix
index 23b3e10d..b90eab75 100644
--- a/shell.nix
+++ b/shell.nix
@@ -1,4 +1,4 @@
-{ pkgs ? import ./nixpkgs.nix {} }:
+{ pkgs ? import ./nixpkgs.nix { config = {}; } }:
 
 with pkgs;
 
diff --git a/tests/hello.nix b/tests/hello.nix
index 285e93f7..5ba09870 100644
--- a/tests/hello.nix
+++ b/tests/hello.nix
@@ -1,3 +1,3 @@
 with import ./pkgname.nix;
-let pkgs = import <nixpkgs> {}; in builtins.getAttr pkgname pkgs
+let pkgs = import <nixpkgs> { config = {}; }; in builtins.getAttr pkgname pkgs
 
diff --git a/tests/nixpkgs.nix b/tests/nixpkgs.nix
index cdd1f58f..b80f8899 100644
--- a/tests/nixpkgs.nix
+++ b/tests/nixpkgs.nix
@@ -1 +1 @@
-import <nixpkgs> {}
+import <nixpkgs> { config = {}; }
diff --git a/tests/output.nix b/tests/output.nix
index a0269adb..89449f7e 100644
--- a/tests/output.nix
+++ b/tests/output.nix
@@ -1,4 +1,4 @@
-with import <nixpkgs> {};
+with import <nixpkgs> { config = {}; };
 
 runCommand "some-output" {
   preferLocalBuild = true;