NixOS · K900 · Jul 4, 2025 · Jun 20, 2025 · Jun 20, 2025 · Jun 20, 2025
diff --git a/pkgs/by-name/ed/edencommon/package.nix b/pkgs/by-name/ed/edencommon/package.nix
@@ -6,7 +6,7 @@
 
   cmake,
   ninja,
-  removeReferencesTo,
+  sanitiseHeaderPathsHook,
 
   glog,
   gflags,
@@ -47,7 +47,7 @@ stdenv.mkDerivation (finalAttrs: {
   nativeBuildInputs = [
     cmake
     ninja
-    removeReferencesTo
+    sanitiseHeaderPathsHook
   ];
 
   buildInputs = [
@@ -98,18 +98,6 @@ stdenv.mkDerivation (finalAttrs: {
         'find_package(FBThrift CONFIG REQUIRED COMPONENTS cpp2)'
   '';
 
-  postFixup = ''
-    # Sanitize header paths to avoid runtime dependencies leaking in
-    # through `__FILE__`.
-    (
-      shopt -s globstar
-      for header in "$dev/include"/**/*.h; do
-        sed -i "1i#line 1 \"$header\"" "$header"
-        remove-references-to -t "$dev" "$header"
-      done
-    )
-  '';
-
   passthru.updateScript = nix-update-script { };
 
   meta = {

diff --git a/pkgs/by-name/fb/fbthrift/package.nix b/pkgs/by-name/fb/fbthrift/package.nix
@@ -7,7 +7,7 @@
 
   cmake,
   ninja,
-  removeReferencesTo,
+  sanitiseHeaderPathsHook,
 
   openssl,
   gflags,
@@ -64,7 +64,7 @@ stdenv.mkDerivation (finalAttrs: {
   nativeBuildInputs = [
     cmake
     ninja
-    removeReferencesTo
+    sanitiseHeaderPathsHook
   ];
 
   buildInputs = [
@@ -100,22 +100,10 @@ stdenv.mkDerivation (finalAttrs: {
     ]
     ++ lib.optionals stdenv.hostPlatform.isDarwin [
       # Homebrew sets this, and the shared library build fails without
-      # it. I don‘t know, either. It scares me.
+      # it. I don’t know, either. It scares me.
       (lib.cmakeFeature "CMAKE_SHARED_LINKER_FLAGS" "-Wl,-undefined,dynamic_lookup")
     ];
 
-  postFixup = ''
-    # Sanitize header paths to avoid runtime dependencies leaking in
-    # through `__FILE__`.
-    (
-      shopt -s globstar
-      for header in "$out/include"/**/*.h; do
-        sed -i "1i#line 1 \"$header\"" "$header"
-        remove-references-to -t "$out" "$header"
-      done
-    )
-  '';
-
   passthru.updateScript = nix-update-script { };
 
   meta = {

diff --git a/pkgs/by-name/fi/fizz/package.nix b/pkgs/by-name/fi/fizz/package.nix
@@ -6,7 +6,7 @@
 
   cmake,
   ninja,
-  removeReferencesTo,
+  sanitiseHeaderPathsHook,
 
   openssl,
   glog,
@@ -48,7 +48,7 @@ stdenv.mkDerivation (finalAttrs: {
   nativeBuildInputs = [
     cmake
     ninja
-    removeReferencesTo
+    sanitiseHeaderPathsHook
   ];
 
   buildInputs = [
@@ -101,18 +101,6 @@ stdenv.mkDerivation (finalAttrs: {
       export GTEST_FILTER="-${lib.concatStringsSep ":" disabledTests}"
     '';
 
-  postFixup = ''
-    # Sanitize header paths to avoid runtime dependencies leaking in
-    # through `__FILE__`.
-    (
-      shopt -s globstar
-      for header in "$dev/include"/**/*.h; do
-        sed -i "1i#line 1 \"$header\"" "$header"
-        remove-references-to -t "$dev" "$header"
-      done
-    )
-  '';
-
   passthru.updateScript = nix-update-script { };
 
   meta = {

diff --git a/pkgs/by-name/fo/folly/package.nix b/pkgs/by-name/fo/folly/package.nix
@@ -8,7 +8,7 @@
   cmake,
   ninja,
   pkg-config,
-  removeReferencesTo,
+  sanitiseHeaderPathsHook,
 
   double-conversion,
   fast-float,
@@ -59,7 +59,7 @@ stdenv.mkDerivation (finalAttrs: {
     cmake
     ninja
     pkg-config
-    removeReferencesTo
+    sanitiseHeaderPathsHook
   ];
 
   # See CMake/folly-deps.cmake in the Folly source tree.
@@ -192,18 +192,6 @@ stdenv.mkDerivation (finalAttrs: {
     runHook postCheck
   '';
 
-  postFixup = ''
-    # Sanitize header paths to avoid runtime dependencies leaking in
-    # through `__FILE__`.
-    (
-      shopt -s globstar
-      for header in "$dev/include"/**/*.h; do
-        sed -i "1i#line 1 \"$header\"" "$header"
-        remove-references-to -t "$dev" "$header"
-      done
-    )
-  '';
-
   passthru = {
     inherit boost;
     fmt = fmt_11;

diff --git a/pkgs/by-name/gt/gtest/package.nix b/pkgs/by-name/gt/gtest/package.nix
@@ -4,6 +4,7 @@
   fetchFromGitHub,
   cmake,
   ninja,
+  sanitiseHeaderPathsHook,
   # Enable C++17 support
   #     https://github.com/google/googletest/issues/3081
   # Projects that require a higher standard can override this package.
@@ -47,6 +48,7 @@ stdenv.mkDerivation rec {
   nativeBuildInputs = [
     cmake
     ninja
+    sanitiseHeaderPathsHook
   ];
 
   cmakeFlags =

diff --git a/pkgs/by-name/mv/mvfst/package.nix b/pkgs/by-name/mv/mvfst/package.nix
@@ -6,7 +6,7 @@
 
   cmake,
   ninja,
-  removeReferencesTo,
+  sanitiseHeaderPathsHook,
 
   folly,
   gflags,
@@ -43,7 +43,7 @@ stdenv.mkDerivation (finalAttrs: {
   nativeBuildInputs = [
     cmake
     ninja
-    removeReferencesTo
+    sanitiseHeaderPathsHook
   ];
 
   buildInputs = [
@@ -123,21 +123,6 @@ stdenv.mkDerivation (finalAttrs: {
     runHook postCheck
   '';
 
-  postFixup = ''
-    # Sanitize header paths to avoid runtime dependencies leaking in
-    # through `__FILE__`.
-    (
-      shopt -s globstar
-      for header in "$dev/include"/**/*.h; do
-        sed -i "1i#line 1 \"$header\"" "$header"
-        remove-references-to -t "$dev" "$header"
-      done
-    )
-
-    # TODO: Do this in `gtest` rather than downstream.
-    remove-references-to -t ${gtest.dev} $out/lib/*
-  '';
-
   passthru.updateScript = nix-update-script { };
 
   meta = {

diff --git a/pkgs/by-name/sa/sanitiseHeaderPathsHook/package.nix b/pkgs/by-name/sa/sanitiseHeaderPathsHook/package.nix
@@ -0,0 +1,18 @@
+{
+  lib,
+  makeSetupHook,
+  removeReferencesTo,
+}:
+
+makeSetupHook {
+  name = "sanitise-header-paths-hook";
+
+  substitutions = {
+    removeReferencesTo = lib.getExe removeReferencesTo;
+  };
+
+  meta = {
+    description = "Setup hook to sanitise header file paths to avoid leaked references through `__FILE__`";
+    maintainers = [ lib.maintainers.emily ];
+  };
+} ./sanitise-header-paths-hook.bash
diff --git a/pkgs/by-name/sa/sanitiseHeaderPathsHook/sanitise-header-paths-hook.bash b/pkgs/by-name/sa/sanitiseHeaderPathsHook/sanitise-header-paths-hook.bash
@@ -0,0 +1,10 @@
+sanitiseHeaderPaths() {
+  local header
+  while IFS= read -r -d '' header; do
+    nixLog "sanitising header path in $header"
+    sed -i "1i#line 1 \"$header\"" "$header"
+    @removeReferencesTo@ -t "${!outputInclude}" "$header"
+  done < <(find "${!outputInclude}/include" -type f -print0)
+}
+
+preFixupHooks+=(sanitiseHeaderPaths)
diff --git a/pkgs/by-name/wa/wangle/package.nix b/pkgs/by-name/wa/wangle/package.nix
@@ -6,7 +6,7 @@
 
   cmake,
   ninja,
-  removeReferencesTo,
+  sanitiseHeaderPathsHook,
 
   folly,
   fizz,
@@ -44,7 +44,7 @@ stdenv.mkDerivation (finalAttrs: {
   nativeBuildInputs = [
     cmake
     ninja
-    removeReferencesTo
+    sanitiseHeaderPathsHook
   ];
 
   buildInputs = [
@@ -109,18 +109,6 @@ stdenv.mkDerivation (finalAttrs: {
     runHook postCheck
   '';
 
-  postFixup = ''
-    # Sanitize header paths to avoid runtime dependencies leaking in
-    # through `__FILE__`.
-    (
-      shopt -s globstar
-      for header in "$dev/include"/**/*.h; do
-        sed -i "1i#line 1 \"$header\"" "$header"
-        remove-references-to -t "$dev" "$header"
-      done
-    )
-  '';
-
   passthru.updateScript = nix-update-script { };
 
   meta = {

diff --git a/pkgs/development/compilers/gcc/common/dependencies.nix b/pkgs/development/compilers/gcc/common/dependencies.nix
@@ -12,6 +12,7 @@
   gmp,
   mpfr,
   libmpc,
+  sanitiseHeaderPathsHook,
   libucontext ? null,
   libxcrypt ? null,
   isSnapshot ? false,
@@ -42,6 +43,10 @@ in
       texinfo
       which
       gettext
+
+      # Prevent GCC leaking into the runtime closure of C++ packages
+      # through headers using `__FILE__`.
+      sanitiseHeaderPathsHook
     ]
     ++ optionals (perl != null) [ perl ]
     ++ optionals (with stdenv.targetPlatform; isVc4 || isRedox || isSnapshot && flex != null) [ flex ]

diff --git a/pkgs/development/compilers/gcc/default.nix b/pkgs/development/compilers/gcc/default.nix
@@ -49,6 +49,7 @@
     !enablePlugin
     || (stdenv.targetPlatform.isAvr && stdenv.hostPlatform.isDarwin && stdenv.hostPlatform.isAarch64),
   nukeReferences,
+  sanitiseHeaderPathsHook,
   callPackage,
   majorMinorVersion,
   apple-sdk,
@@ -179,6 +180,7 @@ let
       pkgsBuildTarget
       profiledCompiler
       reproducibleBuild
+      sanitiseHeaderPathsHook
       staticCompiler
       stdenv
       targetPackages

diff --git a/pkgs/development/libraries/boost/generic.nix b/pkgs/development/libraries/boost/generic.nix
@@ -10,6 +10,7 @@
   fixDarwinDylibNames,
   libiconv,
   libxcrypt,
+  sanitiseHeaderPathsHook,
   makePkgconfigItem,
   copyPkgconfigItems,
   boost-build,
@@ -346,6 +347,7 @@ stdenv.mkDerivation {
     which
     boost-build
     copyPkgconfigItems
+    sanitiseHeaderPathsHook
   ] ++ lib.optional stdenv.hostPlatform.isDarwin fixDarwinDylibNames;
   buildInputs =
     [
@@ -394,15 +396,15 @@ stdenv.mkDerivation {
     runHook postInstall
   '';
 
-  postFixup =
-    ''
-      # Make boost header paths relative so that they are not runtime dependencies
-      cd "$dev" && find include \( -name '*.hpp' -or -name '*.h' -or -name '*.ipp' \) \
-        -exec sed '1s/^\xef\xbb\xbf//;1i#line 1 "{}"' -i '{}' \;
-    ''
-    + lib.optionalString stdenv.hostPlatform.isMinGW ''
-      $RANLIB "$out/lib/"*.a
-    '';
+  preFixup = ''
+    # Strip UTF‐8 BOMs for `sanitiseHeaderPathsHook`.
+    cd "$dev" && find include \( -name '*.hpp' -or -name '*.h' -or -name '*.ipp' \) \
+      -exec sed '1s/^\xef\xbb\xbf//' -i '{}' \;
+  '';
+
+  postFixup = lib.optionalString stdenv.hostPlatform.isMinGW ''
+    $RANLIB "$out/lib/"*.a
+  '';
 
   outputs = [
     "out"