From 1b28a1e224d6e5eb20ac09bc4604ca4d4a4a6b8e Mon Sep 17 00:00:00 2001
From: Emily <vcs@emily.moe>
Date: Fri, 20 Jun 2025 11:05:21 +0100
Subject: [PATCH 01/11] sanitiseHeaderPathsHook: init

C++ headers often use `__FILE__` in error messages, causing the
development outputs of libraries to leak into the runtime closure
of packages using them. This hook abstracts away a pattern used in
a few places throughout the tree to have headers identify themselves
by a sanitized path that does not cause runtime dependencies.

This does unfortunately mean that compiler error messages will
reference the sanitized path. The only alternatives I can imagine
are to patch compilers to handle `__FILE__` specially, or to have
libraries propagate a hook that removes references. The latter would
potentially need to be propagated recursively due to `#include`
semantics and would be less precise than this.
---
 .../sa/sanitiseHeaderPathsHook/package.nix     | 18 ++++++++++++++++++
 .../sanitise-header-paths-hook.bash            | 10 ++++++++++
 2 files changed, 28 insertions(+)
 create mode 100644 pkgs/by-name/sa/sanitiseHeaderPathsHook/package.nix
 create mode 100644 pkgs/by-name/sa/sanitiseHeaderPathsHook/sanitise-header-paths-hook.bash

diff --git a/pkgs/by-name/sa/sanitiseHeaderPathsHook/package.nix b/pkgs/by-name/sa/sanitiseHeaderPathsHook/package.nix
new file mode 100644
index 0000000000000..6e6bd00ebf2f8
--- /dev/null
+++ b/pkgs/by-name/sa/sanitiseHeaderPathsHook/package.nix
@@ -0,0 +1,18 @@
+{
+  lib,
+  makeSetupHook,
+  removeReferencesTo,
+}:
+
+makeSetupHook {
+  name = "sanitise-header-paths-hook";
+
+  substitutions = {
+    removeReferencesTo = lib.getExe removeReferencesTo;
+  };
+
+  meta = {
+    description = "Setup hook to sanitise header file paths to avoid leaked references through `__FILE__`";
+    maintainers = [ lib.maintainers.emily ];
+  };
+} ./sanitise-header-paths-hook.bash
diff --git a/pkgs/by-name/sa/sanitiseHeaderPathsHook/sanitise-header-paths-hook.bash b/pkgs/by-name/sa/sanitiseHeaderPathsHook/sanitise-header-paths-hook.bash
new file mode 100644
index 0000000000000..60e311e12a841
--- /dev/null
+++ b/pkgs/by-name/sa/sanitiseHeaderPathsHook/sanitise-header-paths-hook.bash
@@ -0,0 +1,10 @@
+sanitiseHeaderPaths() {
+  local header
+  while IFS= read -r -d '' header; do
+    nixLog "sanitising header path in $header"
+    sed -i "1i#line 1 \"$header\"" "$header"
+    @removeReferencesTo@ -t "${!outputInclude}" "$header"
+  done < <(find "${!outputInclude}/include" -type f -print0)
+}
+
+preFixupHooks+=(sanitiseHeaderPaths)

From acf51915abcdc6d8620e36951e95894fcd24780f Mon Sep 17 00:00:00 2001
From: Emily <vcs@emily.moe>
Date: Fri, 20 Jun 2025 11:13:25 +0100
Subject: [PATCH 02/11] boost: use `sanitiseHeaderPathsHook`

---
 pkgs/development/libraries/boost/generic.nix | 20 +++++++++++---------
 1 file changed, 11 insertions(+), 9 deletions(-)

diff --git a/pkgs/development/libraries/boost/generic.nix b/pkgs/development/libraries/boost/generic.nix
index 044070d64f6ec..d7edcbfba4141 100644
--- a/pkgs/development/libraries/boost/generic.nix
+++ b/pkgs/development/libraries/boost/generic.nix
@@ -10,6 +10,7 @@
   fixDarwinDylibNames,
   libiconv,
   libxcrypt,
+  sanitiseHeaderPathsHook,
   makePkgconfigItem,
   copyPkgconfigItems,
   boost-build,
@@ -346,6 +347,7 @@ stdenv.mkDerivation {
     which
     boost-build
     copyPkgconfigItems
+    sanitiseHeaderPathsHook
   ] ++ lib.optional stdenv.hostPlatform.isDarwin fixDarwinDylibNames;
   buildInputs =
     [
@@ -394,15 +396,15 @@ stdenv.mkDerivation {
     runHook postInstall
   '';
 
-  postFixup =
-    ''
-      # Make boost header paths relative so that they are not runtime dependencies
-      cd "$dev" && find include \( -name '*.hpp' -or -name '*.h' -or -name '*.ipp' \) \
-        -exec sed '1s/^\xef\xbb\xbf//;1i#line 1 "{}"' -i '{}' \;
-    ''
-    + lib.optionalString stdenv.hostPlatform.isMinGW ''
-      $RANLIB "$out/lib/"*.a
-    '';
+  preFixup = ''
+    # Strip UTF‐8 BOMs for `sanitiseHeaderPathsHook`.
+    cd "$dev" && find include \( -name '*.hpp' -or -name '*.h' -or -name '*.ipp' \) \
+      -exec sed '1s/^\xef\xbb\xbf//' -i '{}' \;
+  '';
+
+  postFixup = lib.optionalString stdenv.hostPlatform.isMinGW ''
+    $RANLIB "$out/lib/"*.a
+  '';
 
   outputs = [
     "out"

From 651c77c71e546682c3065be1266def5c862fc1b3 Mon Sep 17 00:00:00 2001
From: Emily <vcs@emily.moe>
Date: Fri, 20 Jun 2025 11:18:54 +0100
Subject: [PATCH 03/11] gtest: use `sanitiseHeaderPathsHook`

---
 pkgs/by-name/gt/gtest/package.nix | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/pkgs/by-name/gt/gtest/package.nix b/pkgs/by-name/gt/gtest/package.nix
index 2678e192a3751..20b6e36d722d7 100644
--- a/pkgs/by-name/gt/gtest/package.nix
+++ b/pkgs/by-name/gt/gtest/package.nix
@@ -4,6 +4,7 @@
   fetchFromGitHub,
   cmake,
   ninja,
+  sanitiseHeaderPathsHook,
   # Enable C++17 support
   #     https://github.com/google/googletest/issues/3081
   # Projects that require a higher standard can override this package.
@@ -47,6 +48,7 @@ stdenv.mkDerivation rec {
   nativeBuildInputs = [
     cmake
     ninja
+    sanitiseHeaderPathsHook
   ];
 
   cmakeFlags =

From 363f75d245666466be8ef172e6d03e872757f4d4 Mon Sep 17 00:00:00 2001
From: Emily <vcs@emily.moe>
Date: Fri, 20 Jun 2025 11:15:57 +0100
Subject: [PATCH 04/11] folly: use `sanitiseHeaderPathsHook`

---
 pkgs/by-name/fo/folly/package.nix | 16 ++--------------
 1 file changed, 2 insertions(+), 14 deletions(-)

diff --git a/pkgs/by-name/fo/folly/package.nix b/pkgs/by-name/fo/folly/package.nix
index 22ba130140944..33f9457777186 100644
--- a/pkgs/by-name/fo/folly/package.nix
+++ b/pkgs/by-name/fo/folly/package.nix
@@ -8,7 +8,7 @@
   cmake,
   ninja,
   pkg-config,
-  removeReferencesTo,
+  sanitiseHeaderPathsHook,
 
   double-conversion,
   fast-float,
@@ -59,7 +59,7 @@ stdenv.mkDerivation (finalAttrs: {
     cmake
     ninja
     pkg-config
-    removeReferencesTo
+    sanitiseHeaderPathsHook
   ];
 
   # See CMake/folly-deps.cmake in the Folly source tree.
@@ -192,18 +192,6 @@ stdenv.mkDerivation (finalAttrs: {
     runHook postCheck
   '';
 
-  postFixup = ''
-    # Sanitize header paths to avoid runtime dependencies leaking in
-    # through `__FILE__`.
-    (
-      shopt -s globstar
-      for header in "$dev/include"/**/*.h; do
-        sed -i "1i#line 1 \"$header\"" "$header"
-        remove-references-to -t "$dev" "$header"
-      done
-    )
-  '';
-
   passthru = {
     inherit boost;
     fmt = fmt_11;

From 277d5ce6618c502c5d28631f1e8854f055e43fa5 Mon Sep 17 00:00:00 2001
From: Emily <vcs@emily.moe>
Date: Fri, 20 Jun 2025 11:17:57 +0100
Subject: [PATCH 05/11] fizz: use `sanitiseHeaderPathsHook`

---
 pkgs/by-name/fi/fizz/package.nix | 16 ++--------------
 1 file changed, 2 insertions(+), 14 deletions(-)

diff --git a/pkgs/by-name/fi/fizz/package.nix b/pkgs/by-name/fi/fizz/package.nix
index e451ee6fd812a..62b7842324213 100644
--- a/pkgs/by-name/fi/fizz/package.nix
+++ b/pkgs/by-name/fi/fizz/package.nix
@@ -6,7 +6,7 @@
 
   cmake,
   ninja,
-  removeReferencesTo,
+  sanitiseHeaderPathsHook,
 
   openssl,
   glog,
@@ -48,7 +48,7 @@ stdenv.mkDerivation (finalAttrs: {
   nativeBuildInputs = [
     cmake
     ninja
-    removeReferencesTo
+    sanitiseHeaderPathsHook
   ];
 
   buildInputs = [
@@ -101,18 +101,6 @@ stdenv.mkDerivation (finalAttrs: {
       export GTEST_FILTER="-${lib.concatStringsSep ":" disabledTests}"
     '';
 
-  postFixup = ''
-    # Sanitize header paths to avoid runtime dependencies leaking in
-    # through `__FILE__`.
-    (
-      shopt -s globstar
-      for header in "$dev/include"/**/*.h; do
-        sed -i "1i#line 1 \"$header\"" "$header"
-        remove-references-to -t "$dev" "$header"
-      done
-    )
-  '';
-
   passthru.updateScript = nix-update-script { };
 
   meta = {

From aa5b3270d16249ff981926a9e9878dbb7a7707f2 Mon Sep 17 00:00:00 2001
From: Emily <vcs@emily.moe>
Date: Fri, 20 Jun 2025 11:18:12 +0100
Subject: [PATCH 06/11] mvfst: use `sanitiseHeaderPathsHook`

---
 pkgs/by-name/mv/mvfst/package.nix | 19 ++-----------------
 1 file changed, 2 insertions(+), 17 deletions(-)

diff --git a/pkgs/by-name/mv/mvfst/package.nix b/pkgs/by-name/mv/mvfst/package.nix
index 3b4472c0e11b3..d7e11080cd7ed 100644
--- a/pkgs/by-name/mv/mvfst/package.nix
+++ b/pkgs/by-name/mv/mvfst/package.nix
@@ -6,7 +6,7 @@
 
   cmake,
   ninja,
-  removeReferencesTo,
+  sanitiseHeaderPathsHook,
 
   folly,
   gflags,
@@ -43,7 +43,7 @@ stdenv.mkDerivation (finalAttrs: {
   nativeBuildInputs = [
     cmake
     ninja
-    removeReferencesTo
+    sanitiseHeaderPathsHook
   ];
 
   buildInputs = [
@@ -123,21 +123,6 @@ stdenv.mkDerivation (finalAttrs: {
     runHook postCheck
   '';
 
-  postFixup = ''
-    # Sanitize header paths to avoid runtime dependencies leaking in
-    # through `__FILE__`.
-    (
-      shopt -s globstar
-      for header in "$dev/include"/**/*.h; do
-        sed -i "1i#line 1 \"$header\"" "$header"
-        remove-references-to -t "$dev" "$header"
-      done
-    )
-
-    # TODO: Do this in `gtest` rather than downstream.
-    remove-references-to -t ${gtest.dev} $out/lib/*
-  '';
-
   passthru.updateScript = nix-update-script { };
 
   meta = {

From efab895df7767adbc94cf618ae03ca2e551039f9 Mon Sep 17 00:00:00 2001
From: Emily <vcs@emily.moe>
Date: Fri, 20 Jun 2025 11:19:46 +0100
Subject: [PATCH 07/11] wangle: use `sanitiseHeaderPathsHook`

---
 pkgs/by-name/wa/wangle/package.nix | 16 ++--------------
 1 file changed, 2 insertions(+), 14 deletions(-)

diff --git a/pkgs/by-name/wa/wangle/package.nix b/pkgs/by-name/wa/wangle/package.nix
index adb10abf9f323..2341006916f01 100644
--- a/pkgs/by-name/wa/wangle/package.nix
+++ b/pkgs/by-name/wa/wangle/package.nix
@@ -6,7 +6,7 @@
 
   cmake,
   ninja,
-  removeReferencesTo,
+  sanitiseHeaderPathsHook,
 
   folly,
   fizz,
@@ -44,7 +44,7 @@ stdenv.mkDerivation (finalAttrs: {
   nativeBuildInputs = [
     cmake
     ninja
-    removeReferencesTo
+    sanitiseHeaderPathsHook
   ];
 
   buildInputs = [
@@ -109,18 +109,6 @@ stdenv.mkDerivation (finalAttrs: {
     runHook postCheck
   '';
 
-  postFixup = ''
-    # Sanitize header paths to avoid runtime dependencies leaking in
-    # through `__FILE__`.
-    (
-      shopt -s globstar
-      for header in "$dev/include"/**/*.h; do
-        sed -i "1i#line 1 \"$header\"" "$header"
-        remove-references-to -t "$dev" "$header"
-      done
-    )
-  '';
-
   passthru.updateScript = nix-update-script { };
 
   meta = {

From 6e7fd3cf13ae6af76dab0cf01798e90af0944d0c Mon Sep 17 00:00:00 2001
From: Emily <vcs@emily.moe>
Date: Fri, 20 Jun 2025 11:20:12 +0100
Subject: [PATCH 08/11] fbthrift: use `sanitiseHeaderPathsHook`

---
 pkgs/by-name/fb/fbthrift/package.nix | 16 ++--------------
 1 file changed, 2 insertions(+), 14 deletions(-)

diff --git a/pkgs/by-name/fb/fbthrift/package.nix b/pkgs/by-name/fb/fbthrift/package.nix
index 1987f574e7f4d..244c1d7ab7dfe 100644
--- a/pkgs/by-name/fb/fbthrift/package.nix
+++ b/pkgs/by-name/fb/fbthrift/package.nix
@@ -7,7 +7,7 @@
 
   cmake,
   ninja,
-  removeReferencesTo,
+  sanitiseHeaderPathsHook,
 
   openssl,
   gflags,
@@ -64,7 +64,7 @@ stdenv.mkDerivation (finalAttrs: {
   nativeBuildInputs = [
     cmake
     ninja
-    removeReferencesTo
+    sanitiseHeaderPathsHook
   ];
 
   buildInputs = [
@@ -104,18 +104,6 @@ stdenv.mkDerivation (finalAttrs: {
       (lib.cmakeFeature "CMAKE_SHARED_LINKER_FLAGS" "-Wl,-undefined,dynamic_lookup")
     ];
 
-  postFixup = ''
-    # Sanitize header paths to avoid runtime dependencies leaking in
-    # through `__FILE__`.
-    (
-      shopt -s globstar
-      for header in "$out/include"/**/*.h; do
-        sed -i "1i#line 1 \"$header\"" "$header"
-        remove-references-to -t "$out" "$header"
-      done
-    )
-  '';
-
   passthru.updateScript = nix-update-script { };
 
   meta = {

From 17d4441a420f58d48bc6db1c274585c7cb0b2b3a Mon Sep 17 00:00:00 2001
From: Emily <vcs@emily.moe>
Date: Fri, 20 Jun 2025 11:20:26 +0100
Subject: [PATCH 09/11] fbthrift: fix typo

---
 pkgs/by-name/fb/fbthrift/package.nix | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/pkgs/by-name/fb/fbthrift/package.nix b/pkgs/by-name/fb/fbthrift/package.nix
index 244c1d7ab7dfe..a55807541051a 100644
--- a/pkgs/by-name/fb/fbthrift/package.nix
+++ b/pkgs/by-name/fb/fbthrift/package.nix
@@ -100,7 +100,7 @@ stdenv.mkDerivation (finalAttrs: {
     ]
     ++ lib.optionals stdenv.hostPlatform.isDarwin [
       # Homebrew sets this, and the shared library build fails without
-      # it. I don‘t know, either. It scares me.
+      # it. I don’t know, either. It scares me.
       (lib.cmakeFeature "CMAKE_SHARED_LINKER_FLAGS" "-Wl,-undefined,dynamic_lookup")
     ];
 

From 034f0298f4ffe3eef43eca2a2b848302031525e6 Mon Sep 17 00:00:00 2001
From: Emily <vcs@emily.moe>
Date: Fri, 20 Jun 2025 11:20:54 +0100
Subject: [PATCH 10/11] edencommon: use `sanitiseHeaderPathsHook`

---
 pkgs/by-name/ed/edencommon/package.nix | 16 ++--------------
 1 file changed, 2 insertions(+), 14 deletions(-)

diff --git a/pkgs/by-name/ed/edencommon/package.nix b/pkgs/by-name/ed/edencommon/package.nix
index eb0a3e823440b..69f00ab94a526 100644
--- a/pkgs/by-name/ed/edencommon/package.nix
+++ b/pkgs/by-name/ed/edencommon/package.nix
@@ -6,7 +6,7 @@
 
   cmake,
   ninja,
-  removeReferencesTo,
+  sanitiseHeaderPathsHook,
 
   glog,
   gflags,
@@ -47,7 +47,7 @@ stdenv.mkDerivation (finalAttrs: {
   nativeBuildInputs = [
     cmake
     ninja
-    removeReferencesTo
+    sanitiseHeaderPathsHook
   ];
 
   buildInputs = [
@@ -98,18 +98,6 @@ stdenv.mkDerivation (finalAttrs: {
         'find_package(FBThrift CONFIG REQUIRED COMPONENTS cpp2)'
   '';
 
-  postFixup = ''
-    # Sanitize header paths to avoid runtime dependencies leaking in
-    # through `__FILE__`.
-    (
-      shopt -s globstar
-      for header in "$dev/include"/**/*.h; do
-        sed -i "1i#line 1 \"$header\"" "$header"
-        remove-references-to -t "$dev" "$header"
-      done
-    )
-  '';
-
   passthru.updateScript = nix-update-script { };
 
   meta = {

From 1c2dfb8de915aa9fbabed038e30afbb2d6c9ed74 Mon Sep 17 00:00:00 2001
From: Emily <vcs@emily.moe>
Date: Fri, 20 Jun 2025 11:22:11 +0100
Subject: [PATCH 11/11] gcc: use `sanitiseHeaderPathsHook`

This reduces the WebKitGTK runtime closure size from 1.45 GiB to
1.22 GiB on `aarch64-linux`, as measured by `nix-tree`.
---
 pkgs/development/compilers/gcc/common/dependencies.nix | 5 +++++
 pkgs/development/compilers/gcc/default.nix             | 2 ++
 2 files changed, 7 insertions(+)

diff --git a/pkgs/development/compilers/gcc/common/dependencies.nix b/pkgs/development/compilers/gcc/common/dependencies.nix
index ee62f1da0e1fd..38cbcc2682b1f 100644
--- a/pkgs/development/compilers/gcc/common/dependencies.nix
+++ b/pkgs/development/compilers/gcc/common/dependencies.nix
@@ -12,6 +12,7 @@
   gmp,
   mpfr,
   libmpc,
+  sanitiseHeaderPathsHook,
   libucontext ? null,
   libxcrypt ? null,
   isSnapshot ? false,
@@ -42,6 +43,10 @@ in
       texinfo
       which
       gettext
+
+      # Prevent GCC leaking into the runtime closure of C++ packages
+      # through headers using `__FILE__`.
+      sanitiseHeaderPathsHook
     ]
     ++ optionals (perl != null) [ perl ]
     ++ optionals (with stdenv.targetPlatform; isVc4 || isRedox || isSnapshot && flex != null) [ flex ]
diff --git a/pkgs/development/compilers/gcc/default.nix b/pkgs/development/compilers/gcc/default.nix
index 1cd81dc4f669b..a3d54f1b8525f 100644
--- a/pkgs/development/compilers/gcc/default.nix
+++ b/pkgs/development/compilers/gcc/default.nix
@@ -49,6 +49,7 @@
     !enablePlugin
     || (stdenv.targetPlatform.isAvr && stdenv.hostPlatform.isDarwin && stdenv.hostPlatform.isAarch64),
   nukeReferences,
+  sanitiseHeaderPathsHook,
   callPackage,
   majorMinorVersion,
   apple-sdk,
@@ -179,6 +180,7 @@ let
       pkgsBuildTarget
       profiledCompiler
       reproducibleBuild
+      sanitiseHeaderPathsHook
       staticCompiler
       stdenv
       targetPackages