firefox: relax disallowedRequisites to disallowedReferences to fix cuda build

[GaetanLepage]

When cudaSupport is enabled, cudaPackages.cuda_nvcc becomes a transitive dependency of firefox.
cuda_nvcc has backendStdenv.cc in its propagatedBuildInputs which violates firefox's disallowedRequisites policy.
This breaks firefox when cudaSupport is enabled:

firefox> building '/nix/store/7s1dyndj7r33wck6dywjf6kqxah7ngm2-firefox-144.0.2.drv'
firefox> structuredAttrs is enabled
error: output '/nix/store/b3cyrj28jf03mrf15jmy9whhfrgy2bxw-firefox-144.0.2' is not allowed to refer to the following paths:
         /nix/store/x8mydcgbry214s802nzvy7fdljx404ym-gcc-wrapper-14.3.0

I propose to relax the disallowedRequisites assertion and simply migrate to disallowedReferences which ensures that stdenv.cc is not a direct dependency of firefox.

NOTE: this only became an issue recently (since #437723) because before, cudaPackages.backendStdenv and stdenv were differing.
Now they are the same, which triggers this error.

cc @mweinelt @booxter
cc @ConnorBaker @SomeoneSerge

Things done

• Built on platform:
  • x86_64-linux
  • aarch64-linux
  • x86_64-darwin
  • aarch64-darwin
• Tested, as applicable:
  • NixOS tests in nixos/tests.
  • Package tests at passthru.tests.
  • Tests in lib/tests or pkgs/test for functions and "core" functionality.
• Ran nixpkgs-review on this PR. See nixpkgs-review usage.
• Tested basic functionality of all binary files, usually in ./result/bin/.
• Nixpkgs Release Notes
  • Package update: when the change is major or breaking.
• NixOS Release Notes
  • Module addition: when adding a new NixOS module.
  • Module update: when the change is significant.
• Fits CONTRIBUTING.md, pkgs/README.md, maintainers/README.md and other READMEs.

---

Add a 👍 reaction to pull requests you find important.

[booxter]

Hm. Why are these references in the output though? Do you have a list of matches that break the expectation? I'd not expect gcc-wrapper to be in the final output.

[Janrupf]

If I understand correctly this happens because cuda_nvcc has the stdenv in its propagated build inputs:

nixpkgs/pkgs/development/cuda-modules/packages/cuda_nvcc.nix

Lines 24 to 25 in a4c85a9

	# Entries here will be in nativeBuildInputs when cuda_nvcc is in nativeBuildInputs
	propagatedBuildInputs = [ backendStdenv.cc ];

But I don't know how this propagates through onnxruntime

[SomeoneSerge]

My preliminary assessment is that we need to revert nvcc's propagatedBuildInputs back to

nixpkgs/pkgs/development/cuda-modules/_cuda/fixups/cuda_nvcc.nix

Line 50 in 99fe7be

propagatedBuildInputs = prevAttrs.propagatedBuildInputs or [ ] ++ [ setupCudaHook ];

, but uhh "preliminary"

[Janrupf]

Not sure if I misunderstand something - but onnxruntime shouldn't depend on nvcc at runtime, should it? As far as I understand cuda_nvcc depending on gcc at runtime is fine, but onnxruntime depending on nvcc at runtime is not, its in nativeBuildInputs there afterall

[SomeoneSerge]

@Janrupf I didn't read the onnxruntime part yet, will follow up

[SomeoneSerge]

Actually, even now I feel fairly confident that relaxing disallowedRequisites would be the wrong thing to do here

[Janrupf]

I agree, this is an actual issue and not in firefox either. What I'm trying to say is that while firefox reveals the issue and it may have been detected due to a change in the cuda package set, the real issue (again, if I understand correctly) is onnxruntime depending on nvcc at runtime.

EDIT: It seems like the hashes for the nvcc package end up in libonnxruntime_providers_cuda.so in onnxruntime (strings and then grep for the nvcc derivation hash), which in return probably results in nix adding nvcc as a runtime dependency.

[winterqt]

Closing as I think we’re all in agreement that this isn’t the right move.

[GaetanLepage]

nixpkgs-review result

Generated using nixpkgs-review.

Command: nixpkgs-review pr 457391 --extra-nixpkgs-config '{ allowUnfree = true; cudaSupport = true; }'
Commit: cd7510e4de167e9f788b41b378bcf5f131ba7cc4

---

x86_64-linux

✅ 21 packages built:

• dropbox
• dropbox-cli
• dropbox-cli.nautilusExtension
• eyewitness
• firefox
• firefox-beta
• firefox-bin
• firefox-devedition
• firefox-esr
• firefox-mobile
• floorp-bin
• librewolf
• librewolf-bin
• mate.caja-dropbox
• nixpkgs-manual
• sitespeed-io
• thunderbird (thunderbird-latest)
• thunderbird-140 (thunderbird-esr)
• thunderbird-bin
• thunderbird-esr-bin
• vimb

[carlthome]

As a regular NixOS 25.05 (soon 25.11) user who's just trying to get nixos-rebuild to work again with Firefox enabled on a gaming desktop, what's the suggested action to resolve this issue?

Found this PR by Googling.

[GaetanLepage]

As a regular NixOS 25.05 (soon 25.11) user who's just trying to get nixos-rebuild to work again with Firefox enabled on a gaming desktop, what's the suggested action to resolve this issue?

Found this PR by Googling.

The easiest would be to switch to nixos-25.11, where the problem is fixed.
If you really have to remain on nixos-25.05, you can use:

programs.firefox = {
  package = pkgs.firefox.overrideAttrs { disallowedRequisites = [ ]; };
};

or if you don't use the programs.firefox module:

environment.systemPackages = [
  (pkgs.firefox.overrideAttrs { disallowedRequisites = [ ]; })
];

[SomeoneSerge]

@carlthome please also do report your nixpkgs revision and the output of nix why-depends --precise $firefoxOutput $nvccOutput