Skip to content

Comments

nixos-rebuild-ng: rework env handling in process.run_wrapper#493085

Open
thiagokokada wants to merge 2 commits intoNixOS:staging-nixosfrom
thiagokokada:nixos-rebuild-ng-sanitize-env
Open

nixos-rebuild-ng: rework env handling in process.run_wrapper#493085
thiagokokada wants to merge 2 commits intoNixOS:staging-nixosfrom
thiagokokada:nixos-rebuild-ng-sanitize-env

Conversation

@thiagokokada
Copy link
Contributor

@thiagokokada thiagokokada commented Feb 22, 2026

Replace extra_env with a typed env mapping and introduce PRESERVE_ENV for variables that must be inherited from the caller.

For remote execution, pass environment through env -i on the remote side and expand preserved values there (e.g. ${PATH-}), so SSH's own environment is not polluted.

For local sudo execution, stop using --preserve-env and only inject env -i ... when explicit env values are requested; otherwise keep subprocess.run(env=None) to preserve default behavior.

For local execution without sudo we only replace the environment variables when env != None.

Fix #491850.

Things done

  • Built on platform:
    • x86_64-linux
    • aarch64-linux
    • x86_64-darwin
    • aarch64-darwin
  • Tested, as applicable:
  • Ran nixpkgs-review on this PR. See nixpkgs-review usage.
  • Tested basic functionality of all binary files, usually in ./result/bin/.
  • Nixpkgs Release Notes
    • Package update: when the change is major or breaking.
  • NixOS Release Notes
    • Module addition: when adding a new NixOS module.
    • Module update: when the change is significant.
  • Fits CONTRIBUTING.md, pkgs/README.md, maintainers/README.md and other READMEs.

@thiagokokada thiagokokada force-pushed the nixos-rebuild-ng-sanitize-env branch from 156d40b to ad30ddd Compare February 22, 2026 17:32
@nixpkgs-ci nixpkgs-ci bot added 10.rebuild-linux: 1-10 This PR causes between 1 and 10 packages to rebuild on Linux. 10.rebuild-darwin: 1-10 This PR causes between 1 and 10 packages to rebuild on Darwin. 11.by: package-maintainer This PR was created by a maintainer of all the package it changes. 9.needs: reviewer This PR currently has no reviewers requested and needs attention. 10.rebuild-nixos-tests This PR causes rebuilds for all NixOS tests and should normally target the staging branches. 2.status: merge-bot eligible This PR can be merged by commenting "@NixOS/nixpkgs-merge-bot merge". 6.topic: nixos Issues or PRs affecting NixOS modules, or package usability issues specific to NixOS labels Feb 22, 2026
@thiagokokada
Copy link
Contributor Author

thiagokokada commented Feb 22, 2026

If possible I would like testing with things like --build-host, --target-host and --sudo.

CC @Scrumplex @r-vdp @philiptaron

@thiagokokada
nixos-rebuild-ng: rework env handling in process.run_wrapper
97a3995 
Replace `extra_env` with a typed `env` mapping and introduce
`PRESERVE_ENV` for variables that must be inherited from the caller.

For remote execution, pass environment through `env -i` on the remote
side and expand preserved values there (e.g. `${PATH-}`), so SSH's own
environment is not polluted.

For local sudo execution, stop using `--preserve-env` and only inject
`env -i ...` when explicit `env` values are requested; otherwise keep
`subprocess.run(env=None)` to preserve default behavior.

For local execution without sudo we only replace the environment
variables when `env != None`.

Fix NixOS#491850.
@thiagokokada thiagokokada force-pushed the nixos-rebuild-ng-sanitize-env branch from ad30ddd to 97a3995 Compare February 22, 2026 18:06
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

2.status: merge-bot eligible This PR can be merged by commenting "@NixOS/nixpkgs-merge-bot merge". 6.topic: nixos Issues or PRs affecting NixOS modules, or package usability issues specific to NixOS 9.needs: reviewer This PR currently has no reviewers requested and needs attention. 10.rebuild-darwin: 1-10 This PR causes between 1 and 10 packages to rebuild on Darwin. 10.rebuild-linux: 1-10 This PR causes between 1 and 10 packages to rebuild on Linux. 10.rebuild-nixos-tests This PR causes rebuilds for all NixOS tests and should normally target the staging branches. 11.by: package-maintainer This PR was created by a maintainer of all the package it changes.

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@thiagokokada