A lot of modules have package option which allows specifying different package if available.
I have been looking at implementation in sudo module. But I am getting confused.
If I understand correctly, a package option is defined in options.security.sudo.package, and then referenced via config.security.sudo.package. And that what happens in wrapper definition on line 230.
But on line 246, environment.systemPackages = [ sudo ]; uses just sudo. Which, if I am correct, just inherited from pkgs on line 9. Is that an error, or I don’t understand something?
Also on line 259 pkgs.buildPackages.sudo is used. And same question here, how does this relate to config.security.sudo.package.
Wrappers come before systemPackages in PATH, so the binary used when running the sudo command is the one from the wrapper directory (PATH=/run/wrappers/bin:...:/run/current-system/sw/bin). It looks like the sudo package is added to systemPackages just to get the other binaries from that package onto PATH.
As for the part that uses pkgs.buildPackages.sudo, that part is just verifying that the sudoers file is valid, so it needs to run on the build platform instead of the host platform (relevant when cross compiling, since the sudoers file has to be created on the build platform).
As for why those two parts aren’t using config.security.sudo.package… well I dunno; they probably should be. Though I’m not sure how to get the buildPackages variant of that.