Forbid runtime dependency on package in Nix overlay

Question

Task description

I want to make sure that no derivation I install has no run-time dependency on specified set of derivation. If I ask nix-env to install package that has such run-time dependency, I want it to say that I am asking for impossible. Build-dependencies are fine. I want to avoid huge cascade rebuilds, though.

In other words, I want to make sure that derivation with name = evil never reaches my Nix store, but I am fine that it was used to build other derivations on Hydra. Here is what I tried:

Failed attempt: use derivation meta attribute

self: super: {
  evil = super.evil // { meta.broken = True; };
}

but this makes nix-env to refuse install programs that has build-time dependencies on evil, for example it refuses to install go or haskell programs (which are statically linked) because compiler has some transitive dependency on evil.

Failed attempt: replace evil with something harmless

I write overlay that replaces evil:

self: super {
  evil = super.harmless; # e.g super.busybox
}

it causes major cascade rebuild.

Random idea

If there is function, like this:

self: super: {
  ghc = forget_about_dependencies_but_retain_hash_yes_I_know_what_I_Do [super.evil] super.ghc;
  # same for rustc, go and other compilers that link statically.
}

that would be 90% solution for me.

Answer 1

It seems impossible to prevent some derivation from being in store, but it is possible to make sure profile does not contain run-time dependencies:

self: super: {
   world = (super.buildEnv {
     name = "world";
     paths = with super; [ foo bar baz ];
   }).overrideAttrs (_: { disallowedRequisites = [ super.evil super.ugly ]; });
}

So, if you put all derivations you want in "world", you can be sure that evil and ugly are not in dependencies. But they will be downloaded into store to build "world", even if they are not actually used by any derivations in paths.