Nix-build and pure-eval issues

I’m trying to build a derivation in pure evaluation mode to make sure that it will also work with Flakes and possibly on Hydra. So I made a test derivation which should definitely be pure:

derivation {
  name = "pure-eval-test";
  builder = ./;
  system = "x86_64-linux";

echo "" > $out

However, running nix-build with pure evaluation turned on reports:

$ nix-build --option pure-eval true default.nix
error: --- RestrictedPathError --- nix-build
access to path '/home/henri/default.nix' is forbidden in restricted mode

This is of course very pure by not even allowing to read the input file, but I have the feeling that this sort of defeats the purpose. What am I doing wrong here?


I just hit this too. I thought this used to work, or something like it?

I filed nix-build --pure-eval doesn't work (as I recall?) · Issue #4651 · NixOS/nix · GitHub

1 Like

Have you tried running it from a flake? It may actually work in a flake since the flake is uploaded to the store first and relative paths become relative to that store path. If not, putting toString in front of the path will probably fix it.

I know it’s an old post, but for future references:

In pure evaluation mode, no file system access is allowed outside of the paths returned by fetch{Git,Mercurial,url,Tarball}. fetchGit and fetchMercurial accept a commit hash, while fetchurl and fetchTarball accept a sha256.

The easiest way to set it up would be to add your default.nix to a Git repo, make a commit, then use fetchGit with that specific commit. Example:

nix-build --option pure-eval true --expr 'import (fetchGit { url = "/path/to/git/repo"; rev = "9571bfce07b60c5f931a4965dcd9691d12b22690"; })'
1 Like

See also Practical pure eval for paths in non-Flake CLIs · Issue #9329 · NixOS/nix · GitHub

1 Like