nixpkgs: pass lib to config function

[me-and]

Nixpkgs config, for defining things like which licenses are permitted, can either be an attrset or a function that is passed a pkgs argument. Evaluating that pkgs argument requires computing the Nixpkgs fixpoint, which requires checking whether the derivations used in the Nixpkgs bootstrap have valid licenses. This works provided nothing tries to use Nixpkgs functions to validate or merge anything included in the configuration.

f5deefd (config: add and document {allow,block}listedLicenses, 2025-08-31), in #437723, added type checking and merging to the lists of permitted/forbidden licenses. That resulted in a recursion loop if a list of licenses included, say, pkgs.lib.licenses.bsd0.

To allow licenses to be specified from Nixpkgs' library, pass lib as well as pkgs to any config function. Computing lib doesn't require working out the full Nixpkgs fixpoint. The change in #437723 will still break things for some people, but it at least provides a sensible route to getting the config working again.

Fixes #456994.

Things done

• Tested, as applicable:
  • NixOS tests in nixos/tests.
  • Tests in lib/tests or pkgs/test for functions and "core" functionality.
• Ran nixpkgs-review on this PR. See nixpkgs-review usage.
• Nixpkgs Release Notes
  • Package update: when the change is major or breaking.
• Fits CONTRIBUTING.md, pkgs/README.md, maintainers/README.md and other READMEs.

---

Add a 👍 reaction to pull requests you find important.

[me-and]

Tagging @infinisil and @ConnorBaker: this is a completely different -- and somewhat more scary -- fix for #456994 than the one @ConnorBaker proposed in #457038.

I expect this change is likely to break even more folks' configurations, e.g. if they've defined a config function like { pkgs }: ... rather than { pkgs, ... }: ....

[ConnorBaker]

Evaluating that pkgs argument requires computing the Nixpkgs fixpoint, which requires checking whether the derivations used in the Nixpkgs bootstrap have valid licenses.

Do you know where that happens specifically? I've got a suspicion that the infinite recursion is caused by the fact that attribute sets are strict in their keys and somewhere along the way during bootstrapping the presence or absence of a value depends on something that it shouldn't.

[me-and]

Evaluating that pkgs argument requires computing the Nixpkgs fixpoint, which requires checking whether the derivations used in the Nixpkgs bootstrap have valid licenses.

Do you know where that happens specifically? I've got a suspicion that the infinite recursion is caused by the fact that attribute sets are strict in their keys and somewhere along the way during bootstrapping the presence or absence of a value depends on something that it shouldn't.

I think it's more fundamental and difficult to fix than that :(

Evaluating pkgs starts here:

nixpkgs/pkgs/top-level/default.nix

Lines 169 to 182 in 08dacfc

	boot = import ../stdenv/booter.nix { inherit lib allPackages; };
	stages = stdenvStages {
	inherit
	lib
	localSystem
	crossSystem
	config
	overlays
	crossOverlays
	;
	};
	pkgs = boot stages;

Based on the --show-stack output when I hit the recursion error, the package evaluation that is getting its licensed checked and triggering the infinite recursion is this one – checking binutils from stage1 of the bootstrap at the start of stage2.

nixpkgs/pkgs/stdenv/linux/default.nix

Line 380 in 08dacfc

assert isBuiltByBootstrapFilesCompiler prevStage.binutils-unwrapped;

I agree evaluating the keys in pkgs is the problem. I imagine having things set up so that we can work out all the names in pkgs without evaluating the bootstrap cycle would be very difficult to achieve, and I think it's correct that we check the licenses when evaluating the bootstrap cycle.

I have the impression the reason NixOS modules get passed lib as well as pkgs is for essentially this same reason: the lib that gets passed is one that doesn't require the Nixpkgs bootstrap being evaluated. And therefore I strongly expect there's no fix here that just skips evaluating something that doesn't need to be evaluated.

[me-and]

nixpkgs-review result

Generated using nixpkgs-review.

Command: nixpkgs-review pr 457120
Commit: 4faedbf5e1a4954e4a995be9c8eda0777912a479

---

x86_64-linux

⏩ 2 packages blacklisted:

• nixos-install-tools
• tests.nixos-functions.nixos-test

✅ 1 package built:

• nixpkgs-manual

[me-and]

I've just updated the PR to document an alternative configuration change in the release notes that will work with both 25.05 and 25.11, with thanks to @emilazy for prompting me to think about how to make that possible.

[me-and]

I'm going to mark this as a draft for now. I think it's probably a sensible change even now the proximate need for it has been backed out (#457338), but not for 25.11.

[me-and]

And re-opening now this can be merged into (presumably) master for 26.05.

[me-and]

...except now with updated documentation for targeting 26.05.

[me-and]

@ConnorBaker At #456994 (comment) you said you'd like to see this PR merged. I think all the feedback has now been merged, and I'd rather get it in before there can be any merge conflicts. Are you able and willing to press the magic buttons?

[ConnorBaker]

Apologies for the delay!