coreboot-toolchain: add allowedRequisites=[]

This commit exposes a bug in the coreboot-toolchain expression; if you
nix-build that expression at this commit and do not use subsituters,
you will get a failure like this:

error: output '/nix/store/nvswbzyl39ifpwswfvx132j2mys80ifr-coreboot' is not allowed to refer to the following paths:
         /nix/store/8ngciqnw8jzvyvbx00arkp05gvn5q6sq-libunistring-1.0
         /nix/store/p2r9ynirymj47x5m6y9pnq0lpssn4ahm-bash-5.1-p16
         /nix/store/rflgyvwcnmrql5wf8kchynmmq7raggvj-libidn2-2.3.2
         /nix/store/rszg7d581z3v3fwrak68ba2wv5lrckx7-glibc-2.34-115

The root cause of the bug is this line in
tools/misc/coreboot-toolchain/default.nix:

  sha256 = "073n8yid3v0l9wgwnrdqrlgzaj9mnhs33a007dgr7xq3z0iw3i52"

This hash covers the result of the fetchgit operation, including the
postFetch block.  The postFetch block runs patchShebangs, which writes
the store-path of ${stdenv.shell} into $out/util/crossgcc/buildgcc
*before* computing its hash.

The next commit after this one fixes the bug by moving patchShebangs
out of the postFetch block, so it happens *after* the hash is
computed.

Note that even without allowedRequisites=[], the state of the code
prior to this commit is problematic.  Because it hardcodes the
store-path of stdenv, the expression will break in these situations:

* Building on a platform other than x86_64-linux, since those
  platforms will have a different boostrap-files store-path and
  therefore a different stdenv store-path.

* Building with an overlay which adds -march= or other compiler flag
  customizations to stdenv.

* Future nixpkgs users if nixpkgs commits any change which influences
  the store-path of stdenv.

So we should fix the problem in any event.  The `allowedRequisites=[]`
added by this commit ensures that the problem will be noticed
immediately if it recurs in the future.

0 files changed, 0 insertions, 0 deletions