Make python3 minimal truly minimal by disabling some more dependencies.
This makes it easy to bootstrap python.
After this, the only remaining runtime deps for python3Minimal are:
- bash (for launching subprocesses with shell=True)
- libc
- libgcc
- libffi
All remaining deps seem to be fundamental and cannot be further reduced, except bash which could potentially be removed and replaced with `$SHELL` at runtime.
Done:
- add some more withXXX switches to the cpython package
- use new switches in python3Minimal to disable some deps
- set some other deps to null in python3Minimal
- Set `allowedReferences` to guarantee that the closure remains minimal in the future.
They are not doing anything right now. This is in preparation for their
complete removal from the tree.
Note: several changes that affect the derivation inputs (e.g. removal of
references to stub paths in build instructions) were left out. They will
be cleaned up the next iteration and will require special care.
Note: this PR is a result of a mix of ugly regex (not AST) based
automation and some manual labor. For reference, the regex automation
part was hacked in: https://github.com/booxter/nix-clean-apple_sdk
Signed-off-by: Ihar Hrachyshka <ihar.hrachyshka@gmail.com>
An attempt to address #338231. The current release of nixpkgs takes over
20GB of memory to evaluate python when the interpreter is overriden.
This adds memoization to the spliced python packages to avoid
evaluating all the commbinations of overrides.
* util-linuxMinimal: build without pam and shadow
These depend on python via audit preventing the use of libuuid from
util-linux in python builds.
* cpython: provide libuuid for the _uuid module
Relying on libuuid offers synchronization primitives, so that "no two
processes can obtain the same UUID"¹.
[1] https://docs.python.org/3/library/uuid.html#module-uuid
The status quo of `bash` not being interactive is frustrating for many users,
because trying to use it interactively is just messed up, and
`bashInteractive` is not intuitive and barely discoverable.
This was brought to my (and many others) attention by @stahnma in his
[talk at CfgMgmtCamp 2025](https://cfp.cfgmgmtcamp.org/ghent2025/talk/YUVUTN/),
where he highlighted this as one of the frustrations he ran into when
learning Nix.
Why this is fine:
- No reason for not making interactive the default was given in the original commit (6c6ff6f36f), but probably it was due to the increase in closure size
- The closure size only increases by 6.9MiB (19.5%) today, with the
added dependency on the store paths for readline and ncurses, which
are needed on systems in almost all cases anyways
- If somebody really needs to get a more minimal system, they can use
the newly-introduced `bashNonInteractive` instead now
- Though to apply it consistently, they'll need to do that in an
overlay like
```
final: prev: {
bash = self.bashNonInteractive;
}
```
Or alternatively using the `system.replaceDependencies.replacements`
NixOS option approach.
While there's also other such `*Interactive` packages that could use the
same treatment, `bash` is a great start.
This was already attempted before in
https://github.com/NixOS/nixpkgs/pull/151227, but was not continued for
unknown reason.
To avoid stdenv becoming bigger, all uses of bash in the (working)
stdenv's are changed to the explicitly non-interactive version here.
This commit will however still cause a mass rebuild for all packages (and reverse deps)
making use of the default bash.
Wolfgang Walther