Nix: go packages in --pure mode still point to the host's GOPATH

php editor Strawberry is here to introduce to you the problem of the go package in Nix --pure mode pointing to the GOPATH of the host. In Nix, --pure mode is a clean environment that does not rely on the host's environment variables and path settings. However, some users have found that using the go package in --pure mode still points to the host's GOPATH. This is because the go package in --pure mode is not completely independent of the host environment. It will still depend on the host's GOPATH setting to a certain extent. For this question, we need to further understand how Nix works and how to configure the environment correctly.

Question content

I am trying to use the go package to run a nix shell to test the go program. However, to ensure reproducibility, I don't want go in nix-shell to point to any host-related paths or information. Therefore, I was advised to use the --pure flag in the command.

My final command looks like this:

$ nix-shell --pure -p go

After the

shell starts, I run go env and see the following:

GO111MODULE=""
GOARCH="amd64"
GOBIN=""
GOCACHE="/home/HOSTUSERNAME/.cache/go-build"
GOENV="/home/HOSTUSERNAME/.config/go/env"
GOEXE=""
GOEXPERIMENT=""
GOFLAGS=""
GOHOSTARCH="amd64"
GOHOSTOS="linux"
GOINSECURE=""
GOMODCACHE="/home/HOSTUSERNAME/go/pkg/mod"
GONOPROXY=""
GONOSUMDB=""
GOOS="linux"
GOPATH="/home/HOSTUSERNAME/go"
GOPRIVATE=""
GOPROXY="https://proxy.golang.org,direct"
GOROOT="/nix/store/a7875alzpnr46z6mv4ssymfdwmvr6xbq-go-1.19.4/share/go"
GOSUMDB="sum.golang.org"
GOTMPDIR=""
GOTOOLDIR="/nix/store/a7875alzpnr46z6mv4ssymfdwmvr6xbq-go-1.19.4/share/go/pkg/tool/linux_amd64"
GOVCS=""
GOVERSION="go1.19.4"
GCCGO="gccgo"
GOAMD64="v1"
AR="ar"
CC="gcc"
CXX="g++"
CGO_ENABLED="1"
GOMOD="/dev/null"
GOWORK=""
CGO_CFLAGS="-g -O2"
CGO_CPPFLAGS=""
CGO_CXXFLAGS="-g -O2"
CGO_FFLAGS="-g -O2"
CGO_LDFLAGS="-g -O2"
PKG_CONFIG="pkg-config"
GOGCCFLAGS="-fPIC -m64 -pthread -Wl,--no-gc-sections -fmessage-length=0 -fdebug-prefix-map=/run/user/1000/go-build3633664660=/tmp/go-build -gno-record-gcc-switches"

I would like to install my go project in a reproducible manner without using the host inherited gopath and other related environment variables.

Is there a way to completely separate the host system dependencies by installing the nix go package in the shell and then test the go project?

Solution

Even if the environment variables are GOPATH, GOENV, GOMODCACHE, &c. Not set at all , go env and related tools synthesize the default value relative to $HOME.

Therefore, if you want to regularly test that your project has no hidden dependencies on your home directory, you should wrap its build in a Nix fork; assuming you are on a platform where Nix supports sandboxing and this feature is enabled, This will cause the build to complete in the sandbox without access to your home directory.

See gomod2nix and the more general Go entry on nixos.wiki for guidance on building forks to wrap program builds.

Also, please note that nix-shell --pure does not create a shell that is pure in any sense: still relies on nixpkgs from the local channel. If you want to control this, you need a shell.nix or flake.nix to pin a specific nixpkgs version.

The above is the detailed content of Nix: go packages in --pure mode still point to the host's GOPATH. For more information, please follow other related articles on the PHP Chinese website!