Issue with page `src/pages/start/3.nix-develop.mdx`: "nix develop" is not hermetic by default, as claimed
Closed this issue · 1 comments
I believe the section at https://zero-to-nix.com/start/nix-develop#run-commands-inside-the-development-environment overstates the claim about hermeticism, and it takes passing -i to nix develop before the claim is true.
As you can see, Nix development environments are hermetic in that they're isolated from the surrounding environment (such as your environment variables and paths like /bin and /usr/bin).
But the examples in the section do not establish that the "develop" environment is hermetic. All it shows is that the executables provided by the flake are added to the path and available in the "develop" environment. It does not show that the calling environment is isolated from the "develop" environment. Both must be true for it to be hermetic.
Empirically, it appears that nix develop runs programs in away that does not seal them from the surrounding environment. Instead, the environment seems to be modified in an additive way.
For example, I have the Helix editor installed through Homebrew, and I am able to access it from a "nix develop" environment.
% nix develop "https://flakehub.com/f/DeterminateSystems/zero-to-nix/*#example" --command which hx
/home/linuxbrew/.linuxbrew/bin/hx
% nix develop "https://flakehub.com/f/DeterminateSystems/zero-to-nix/*#example" --command hx --version
helix 24.3 (2cadec0b)
The 'hx' binary is not provided by "https://flakehub.com/f/DeterminateSystems/zero-to-nix/*#example", and if "nix develop" provided a hermetic environment it should not be present in the path.
Now, nix-shell has the --pure argument, documented as:
• --pure
If this flag is specified, the environment is almost entirely cleared before the interactive shell is started, so
you get an environment that more closely corresponds to the “real” Nix build. A few variables, in particular HOME,
USER and DISPLAY, are retained.
The nix develop equivalent seems to be -i. With -i passed nix develop is hermetic in the way claimed by this section. For example:
% HERMETICITY_TEST=on nix develop -i "https://flakehub.com/f/DeterminateSystems/zero-to-nix/*#example" --command hx --version
/tmp/nix-shell.ufj844: line 1846: exec: hx: not found
Suggestion: this section seems to be about the --command option to nix develop. Maybe delete mention of hermeticism entirely. Optionally, add a section discussing the various nuances with respect to nix develop and hermeticism.