lib.mkPackageVariants: init; openssl: migrate to mkPackageVariants

[qweered]

Adds lib.mkPackageVariants to standardize multi-version package management in nixpkgs. Currently, packages like openssl, perl, etc. each reinvent their own variant handling — this provides a shared abstraction for it. Extensive tests added to lib/test/customisation.nix

Inspired by corepkgs' mkManyVariants, but adapted for nixpkgs:

	corepkgs mkManyVariants	nixpkgs mkPackageVariants
callPackage	Uses internal callFromScope	Caller-provided callPackage, pre-bound via splice.nix (same pattern as callPackage itself)
allowAliases	Reads from config directly	Explicit parameter, defaults to config.allowAliases in the splice binding
Return value	defaultPackage.override	defaultPackage directly (override is already available via callPackage/makeOverridable)
Feature variants	Not supported	Per-variant overrideArgs allows feature variants (e.g., oqs, legacy) that share version metadata but change build arguments
File detection	Explicit paths required	Auto-detects variants.nix and generic.nix in caller's directory via unsafeGetAttrPos

The generic builder follows a curried pattern — first receives variant-specific args (version, hash, patches, plus helpers like packageOlder/packageAtLeast), then package args resolved by callPackage. All variants are accessible via passthru (e.g., openssl.v1_1, openssl.v3_6, openssl.oqs), and pkg.override { ... } flows through to the generic builder without per-package boilerplate.

I migrated openssl as a proof-of-concept to verify everything works end-to-end, including by-name compatibility. The old monolithic default.nix is split into generic.nix (curried builder), variants.nix (version metadata), and a thin package.nix wrapper. openssl_oqs and openssl_legacy are also migrated from inline .override calls to proper variants. All backward-compat aliases are preserved.

Things done

• Built on platform:
  • x86_64-linux
  • aarch64-linux
  • x86_64-darwin
  • aarch64-darwin
• Tested, as applicable:
  • NixOS tests in nixos/tests.
  • Package tests at passthru.tests.
  • Tests in lib/tests or pkgs/test for functions and "core" functionality.
• Ran nixpkgs-review on this PR. See nixpkgs-review usage.
• Tested basic functionality of all binary files, usually in ./result/bin/.
• Nixpkgs Release Notes
  • Package update: when the change is major or breaking.
• NixOS Release Notes
  • Module addition: when adding a new NixOS module.
  • Module update: when the change is significant.
• Fits CONTRIBUTING.md, pkgs/README.md, maintainers/README.md and other READMEs.

[RossComputerGuy]

The approach so far seems reasonable, only have this nit so far.

[qweered]

nixpkgs-review result

Generated using nixpkgs-review.

Command: nixpkgs-review pr 496617
Commit: 6653d83ae8968aaa3a4dd937d6944d7d73ec47cf

---

x86_64-linux

⏩ 2 packages blacklisted:

• nixos-install-tools
• tests.nixos-functions.nixos-test

✅ 4 packages built:

• extra-container
• nixos-container
• nixpkgs-manual
• tests.lib-tests

[quantenzitrone]

How do we tell the nixpkgs search which attributes should be shown?
How do we tell hydra where all the package variants are located that need to be evaluated?

As far as I know this is currently done through recurseForDerivations = true;, so all attribute sets with that attribute are also searched for derivations.

This does not work for attributes in passthru. We can't search every package for derivations.

[emilazy]

Yeah, derivations inside derivations are a non‐starter without several changes outside of Nixpkgs. nix search and nix-env can’t handle them either; it’s baked into the codebase.

[quantenzitrone]

While writing down the new version of my RFC 197 I thought we could maybe make all versioned packages package sets like we currently do for nix with nixVersions.
If we do that it would be consistent to also have versioned package sets be in a package-set-set like currently for ocamlPackages with ocaml-ng and lixPackages with lixPackageSets.