NixOS · philiptaron · Jul 31, 2024 · Aug 1, 2024 · Aug 1, 2024
diff --git a/doc/stdenv/stdenv.chapter.md b/doc/stdenv/stdenv.chapter.md
@@ -434,6 +434,8 @@ The propagated equivalent of `depsTargetTarget`. This is prefixed for the same r
 
 A number between 0 and 7 indicating how much information to log. If set to 1 or higher, `stdenv` will print moderate debugging information during the build. In particular, the `gcc` and `ld` wrapper scripts will print out the complete command line passed to the wrapped tools. If set to 6 or higher, the `stdenv` setup script will be run with `set -x` tracing. If set to 7 or higher, the `gcc` and `ld` wrapper scripts will also be run with `set -x` tracing.
 
+In order to set the `NIX_DEBUG` environment variable, Nix itself must be re-compiled so that it's set in the local derivation build environment. This ensures that the derivation's hash doesn't change because `NIX_DEBUG` has been set. Most Nix derivation have a `withNixDebug` attribute which can be overridden. Set the `nix.package` option to use this `NIX_DEBUG`-enabled Nix.
+
 ### Attributes affecting build properties {#attributes-affecting-build-properties}
 
 #### `enableParallelBuilding` {#var-stdenv-enableParallelBuilding}
@@ -1421,7 +1423,7 @@ Both parameters take a list of flags as strings. The special `"all"` flag can be
 
 For more in-depth information on these hardening flags and hardening in general, refer to the [Debian Wiki](https://wiki.debian.org/Hardening), [Ubuntu Wiki](https://wiki.ubuntu.com/Security/Features), [Gentoo Wiki](https://wiki.gentoo.org/wiki/Project:Hardened), and the [Arch Wiki](https://wiki.archlinux.org/title/Security).
 
-Note that support for some hardening flags varies by compiler, CPU architecture, target OS and libc. Combinations of these that don't support a particular hardening flag will silently ignore attempts to enable it. To see exactly which hardening flags are being employed in any invocation, the `NIX_DEBUG` environment variable can be used.
+Note that support for some hardening flags varies by compiler, CPU architecture, target OS and libc. Combinations of these that don't support a particular hardening flag will silently ignore attempts to enable it. To see exactly which hardening flags are being employed in any invocation, the [`NIX_DEBUG` environment variable](#var-stdenv-NIX_DEBUG) can be used.
 
 ### Hardening flags enabled by default {#sec-hardening-flags-enabled-by-default}
 

diff --git a/pkgs/tools/package-management/lix/common.nix b/pkgs/tools/package-management/lix/common.nix
@@ -13,6 +13,7 @@
   docCargoHash ? null,
   docCargoLock ? null,
   patches ? [ ],
+  withNixDebugPatch ? null,
   maintainers ? lib.teams.lix.members,
 }@args:
 assert (hash == null) -> (src != null);
@@ -63,6 +64,7 @@ assert (hash == null) -> (src != null);
   rapidcheck,
   Security,
   sqlite,
+  substitute,
   util-linuxMinimal,
   xz,
   nixosTests,
@@ -80,19 +82,30 @@ assert (hash == null) -> (src != null);
   # RISC-V support in progress https://github.com/seccomp/libseccomp/pull/50
   withLibseccomp ? lib.meta.availableOn stdenv.hostPlatform libseccomp,
   libseccomp,
+  # If non-`null`, the string value is what the environment variable `NIX_DEBUG`
+  # is set to when building any derivation. See the Nixpkgs manual for more.
+  withNixDebug ? null,
 
   confDir,
   stateDir,
   storeDir,
 }:
+assert lib.assertMsg ((withNixDebug != null) -> (withNixDebugPatch != null)) "Setting `withNixDebug` means `withNixDebugPatch` patch must be specified.";
 assert lib.assertMsg (docCargoHash != null || docCargoLock != null) "Either `lix-doc`'s cargoHash using `docCargoHash` or `lix-doc`'s `cargoLock.lockFile` using `docCargoLock` must be set!";
 stdenv.mkDerivation {
   pname = "lix";
 
   version = "${version}${suffix}";
   VERSION_SUFFIX = suffix;
 
-  inherit src patches;
+  inherit src;
+
+  patches = patches ++ lib.optionals (withNixDebug != null) [
+    (substitute {
+      src = withNixDebugPatch;
+      substitutions = [ "--subst-var-by" "NIX_DEBUG" (toString withNixDebug) ];
+    })
+  ];
 
   outputs =
     [

diff --git a/pkgs/tools/package-management/lix/default.nix b/pkgs/tools/package-management/lix/default.nix
@@ -54,6 +54,7 @@ lib.makeExtensible (self: ({
       version = "2.90.0";
       hash = "sha256-f8k+BezKdJfmE+k7zgBJiohtS3VkkriycdXYsKOm3sc=";
       docCargoHash = "sha256-vSf9MyD2XzofZlbzsmh6NP69G+LiX72GX4Um9UJp3dc=";
+      withNixDebugPatch = ./patches/set-NIX_DEBUG-on-lix-2.90.patch;
     }
   );
 

diff --git a/pkgs/tools/package-management/lix/patches/set-NIX_DEBUG-on-lix-2.90.patch b/pkgs/tools/package-management/lix/patches/set-NIX_DEBUG-on-lix-2.90.patch
@@ -0,0 +1,11 @@
+diff --git a/src/libstore/build/local-derivation-goal.cc b/src/libstore/build/local-derivation-goal.cc
+--- a/src/libstore/build/local-derivation-goal.cc
++++ b/src/libstore/build/local-derivation-goal.cc
+@@ -1164,6 +1164,7 @@ void LocalDerivationGoal::initEnv()
+        may change that in the future. So tell the builder which file
+        descriptor to use for that. */
+     env["NIX_LOG_FD"] = "2";
++    env["NIX_DEBUG"] = "@NIX_DEBUG@";
+
+     /* Trigger colored output in various tools. */
+     env["TERM"] = "xterm-256color";
diff --git a/pkgs/tools/package-management/nix/common.nix b/pkgs/tools/package-management/nix/common.nix
@@ -5,6 +5,7 @@
 , hash ? null
 , src ? fetchFromGitHub { owner = "NixOS"; repo = "nix"; rev = version; inherit hash; }
 , patches ? [ ]
+, withNixDebugPatch ? null
 , maintainers ? with lib.maintainers; [ eelco lovesegfault artturin ]
 , self_attribute_name
 }@args:
@@ -71,13 +72,17 @@ in
 , rapidcheck
 , Security
 , sqlite
+, substitute
 , util-linuxMinimal
 , xz
 
 , enableDocumentation ? !atLeast24 || stdenv.hostPlatform == stdenv.buildPlatform
 , enableStatic ? stdenv.hostPlatform.isStatic
 , withAWS ? !enableStatic && (stdenv.isLinux || stdenv.isDarwin), aws-sdk-cpp
 , withLibseccomp ? lib.meta.availableOn stdenv.hostPlatform libseccomp, libseccomp
+# If non-`null`, the string value is what the environment variable `NIX_DEBUG`
+# is set to when building any derivation. See the Nixpkgs manual for more.
+, withNixDebug ? null
 
 , confDir
 , stateDir
@@ -86,14 +91,22 @@ in
   # passthru tests
 , pkgsi686Linux
 , runCommand
-}: let
-self = stdenv.mkDerivation {
+}:
+assert lib.assertMsg ((withNixDebug != null) -> (withNixDebugPatch != null)) "Setting `withNixDebug` means `withNixDebugPatch` patch must be specified.";
+let self = stdenv.mkDerivation {
   pname = "nix";
 
   version = "${version}${suffix}";
   VERSION_SUFFIX = suffix;
 
-  inherit src patches;
+  inherit src;
+
+  patches = patches ++ lib.optionals (withNixDebug != null) [
+    (substitute {
+      src = withNixDebugPatch;
+      substitutions = [ "--subst-var-by" "NIX_DEBUG" (toString withNixDebug) ];
+    })
+  ];
 
   outputs =
     [ "out" "dev" ]

diff --git a/pkgs/tools/package-management/nix/default.nix b/pkgs/tools/package-management/nix/default.nix
@@ -140,6 +140,7 @@ in lib.makeExtensible (self: ({
     patches = [
       patch-monitorfdhup
     ];
+    withNixDebugPatch = ./patches/set-NIX_DEBUG-on-nix-2.3.patch;
     self_attribute_name = "nix_2_3";
     maintainers = with lib.maintainers; [ flokli ];
   }).override { boehmgc = boehmgc-nix_2_3; }).overrideAttrs {
@@ -152,36 +153,42 @@ in lib.makeExtensible (self: ({
     version = "2.18.5";
     hash = "sha256-xEcYQuJz6DjdYfS6GxIYcn8U+3Hgopne3CvqrNoGguQ=";
     self_attribute_name = "nix_2_18";
+    withNixDebugPatch = ./patches/set-NIX_DEBUG-on-nix-2.18.patch;
   };
 
   nix_2_19 = common {
     version = "2.19.6";
     hash = "sha256-XT5xiwOLgXf+TdyOjbJVOl992wu9mBO25WXHoyli/Tk=";
     self_attribute_name = "nix_2_19";
+    withNixDebugPatch = ./patches/set-NIX_DEBUG-on-nix-2.19.patch;
   };
 
   nix_2_20 = common {
     version = "2.20.8";
     hash = "sha256-M2tkMtjKi8LDdNLsKi3IvD8oY/i3rtarjMpvhybS3WY=";
     self_attribute_name = "nix_2_20";
+    withNixDebugPatch = ./patches/set-NIX_DEBUG-on-nix-2.20.patch;
   };
 
   nix_2_21 = common {
     version = "2.21.4";
     hash = "sha256-c6nVZ0pSrfhFX3eVKqayS+ioqyAGp3zG9ZPO5rkXFRQ=";
     self_attribute_name = "nix_2_21";
+    withNixDebugPatch = ./patches/set-NIX_DEBUG-on-nix-2.21.patch;
   };
 
   nix_2_22 = common {
     version = "2.22.3";
     hash = "sha256-l04csH5rTWsK7eXPWVxJBUVRPMZXllFoSkYFTq/i8WU=";
     self_attribute_name = "nix_2_22";
+    withNixDebugPatch = ./patches/set-NIX_DEBUG-on-nix-2.22.patch;
   };
 
   nix_2_23 = common {
     version = "2.23.3";
     hash = "sha256-lAoLGVIhRFrfgv7wcyduEkyc83QKrtsfsq4of+WrBeg=";
     self_attribute_name = "nix_2_23";
+    withNixDebugPatch = ./patches/set-NIX_DEBUG-on-nix-2.23.patch;
   };
 
   git = (common rec {

diff --git a/pkgs/tools/package-management/nix/patches/set-NIX_DEBUG-on-nix-2.18.patch b/pkgs/tools/package-management/nix/patches/set-NIX_DEBUG-on-nix-2.18.patch
@@ -0,0 +1,11 @@
+diff --git a/src/libstore/build/local-derivation-goal.cc b/src/libstore/build/local-derivation-goal.cc
+--- a/src/libstore/build/local-derivation-goal.cc
++++ b/src/libstore/build/local-derivation-goal.cc
+@@ -1165,6 +1165,7 @@ void LocalDerivationGoal::initEnv()
+        may change that in the future. So tell the builder which file
+        descriptor to use for that. */
+     env["NIX_LOG_FD"] = "2";
++    env["NIX_DEBUG"] = "@NIX_DEBUG@";
+
+     /* Trigger colored output in various tools. */
+     env["TERM"] = "xterm-256color";
diff --git a/pkgs/tools/package-management/nix/patches/set-NIX_DEBUG-on-nix-2.19.patch b/pkgs/tools/package-management/nix/patches/set-NIX_DEBUG-on-nix-2.19.patch
@@ -0,0 +1,11 @@
+diff --git a/src/libstore/build/local-derivation-goal.cc b/src/libstore/build/local-derivation-goal.cc
+--- a/src/libstore/build/local-derivation-goal.cc
++++ b/src/libstore/build/local-derivation-goal.cc
+@@ -1184,6 +1184,7 @@ void LocalDerivationGoal::initEnv()
+        may change that in the future. So tell the builder which file
+        descriptor to use for that. */
+     env["NIX_LOG_FD"] = "2";
++    env["NIX_DEBUG"] = "@NIX_DEBUG@";
+
+     /* Trigger colored output in various tools. */
+     env["TERM"] = "xterm-256color";
diff --git a/pkgs/tools/package-management/nix/patches/set-NIX_DEBUG-on-nix-2.20.patch b/pkgs/tools/package-management/nix/patches/set-NIX_DEBUG-on-nix-2.20.patch
@@ -0,0 +1,11 @@
+diff --git a/src/libstore/build/local-derivation-goal.cc b/src/libstore/build/local-derivation-goal.cc
+--- a/src/libstore/build/local-derivation-goal.cc
++++ b/src/libstore/build/local-derivation-goal.cc
+@@ -1186,6 +1186,7 @@ void LocalDerivationGoal::initEnv()
+        may change that in the future. So tell the builder which file
+        descriptor to use for that. */
+     env["NIX_LOG_FD"] = "2";
++    env["NIX_DEBUG"] = "@NIX_DEBUG@";
+
+     /* Trigger colored output in various tools. */
+     env["TERM"] = "xterm-256color";
diff --git a/pkgs/tools/package-management/nix/patches/set-NIX_DEBUG-on-nix-2.21.patch b/pkgs/tools/package-management/nix/patches/set-NIX_DEBUG-on-nix-2.21.patch
@@ -0,0 +1,11 @@
+diff --git a/src/libstore/build/local-derivation-goal.cc b/src/libstore/build/local-derivation-goal.cc
+--- a/src/libstore/build/local-derivation-goal.cc
++++ b/src/libstore/build/local-derivation-goal.cc
+@@ -1187,6 +1187,7 @@ void LocalDerivationGoal::initEnv()
+        may change that in the future. So tell the builder which file
+        descriptor to use for that. */
+     env["NIX_LOG_FD"] = "2";
++    env["NIX_DEBUG"] = "@NIX_DEBUG@";
+
+     /* Trigger colored output in various tools. */
+     env["TERM"] = "xterm-256color";
diff --git a/pkgs/tools/package-management/nix/patches/set-NIX_DEBUG-on-nix-2.22.patch b/pkgs/tools/package-management/nix/patches/set-NIX_DEBUG-on-nix-2.22.patch
@@ -0,0 +1,11 @@
+diff --git a/src/libstore/unix/build/local-derivation-goal.cc b/src/libstore/unix/build/local-derivation-goal.cc
+--- a/src/libstore/unix/build/local-derivation-goal.cc
++++ b/src/libstore/unix/build/local-derivation-goal.cc
+@@ -1189,6 +1189,7 @@ void LocalDerivationGoal::initEnv()
+        may change that in the future. So tell the builder which file
+        descriptor to use for that. */
+     env["NIX_LOG_FD"] = "2";
++    env["NIX_DEBUG"] = "@NIX_DEBUG@";
+
+     /* Trigger colored output in various tools. */
+     env["TERM"] = "xterm-256color";
diff --git a/pkgs/tools/package-management/nix/patches/set-NIX_DEBUG-on-nix-2.23.patch b/pkgs/tools/package-management/nix/patches/set-NIX_DEBUG-on-nix-2.23.patch
@@ -0,0 +1,11 @@
+diff --git a/src/libstore/unix/build/local-derivation-goal.cc b/src/libstore/unix/build/local-derivation-goal.cc
+--- a/src/libstore/unix/build/local-derivation-goal.cc
++++ b/src/libstore/unix/build/local-derivation-goal.cc
+@@ -1191,6 +1191,7 @@ void LocalDerivationGoal::initEnv()
+        may change that in the future. So tell the builder which file
+        descriptor to use for that. */
+     env["NIX_LOG_FD"] = "2";
++    env["NIX_DEBUG"] = "@NIX_DEBUG@";
+
+     /* Trigger colored output in various tools. */
+     env["TERM"] = "xterm-256color";
diff --git a/pkgs/tools/package-management/nix/patches/set-NIX_DEBUG-on-nix-2.3.patch b/pkgs/tools/package-management/nix/patches/set-NIX_DEBUG-on-nix-2.3.patch
@@ -0,0 +1,11 @@
+diff --git a/src/libstore/build.cc b/src/libstore/build.cc
+--- a/src/libstore/build.cc
++++ b/src/libstore/build.cc
+@@ -2543,6 +2543,7 @@ void DerivationGoal::initEnv()
+        may change that in the future. So tell the builder which file
+        descriptor to use for that. */
+     env["NIX_LOG_FD"] = "2";
++    env["NIX_DEBUG"] = "@NIX_DEBUG@";
+
+     /* Trigger colored output in various tools. */
+     env["TERM"] = "xterm-256color";