nix-shell --pure keeps the $PATH environment variable

[johnbcoughlin]

The user's $PATH is present without modification in a pure nix-shell

Problem Statement

PR #2323 introduced the option to keep user environment variables around, like nix-shell --keep-vars baz. It also introduced a default list of environment variables to keep around. Among other innocuous choices, this list includes PATH.

It seems to me that a primary use case of nix-shell is precisely to void the user's PATH, and start from scratch with a known set of binaries. This is evidenced by the filing of #3090 and #903, which ask for nix-shell to be usable as an isolation mechanism. #3090 was closed by #3131, which removed the sourcing of ~/.bashrc from --pure shells. However, the emplacement of PATH is arguably a much bigger violation of isolation.

Everyone is confused about this behavior. See for example:

• the conversation I had on #nixos, where it was suggested that this behavior was due to a problem with my .nix file, or
• https://www.reddit.com/r/NixOS/comments/c1n6ww/extra_paths_in_nixshell_path/
• https://www.reddit.com/r/NixOS/comments/g9gdcy/nixshell_what_does_pure_mean/
• the documentation for nix-shell, which I quote here:

--pure
  If this flag is specified, the environment is almost entirely cleared before the interactive shell is
  started, so you get an environment that more closely corresponds to the “real” Nix build. A few
  variables, in particular HOME, USER and DISPLAY, are retained. Note that ~/.bashrc and
  (depending on your Bash installation) /etc/bashrc are still sourced, so any variables set there
  will affect the interactive shell.

It seems clear that PATH is more important to mention than any of the three variables actually mentioned, and has more of an impact on whether the environment closely corresponds to the real Nix build.

• Pill 10, which states,

We then enter a new bash shell, but it's really useless. We expected to have the GNU hello world build inputs available in PATH, including GNU make, but it's not the case.

There's also a wealth of content on the internet about isolating your environment using nix-shell [--pure], etc. None of the articles or documentation seem to realize that their shell is not at all isolated from the preexisting PATH.

What to do about it

• First of all, it would be great to have a proposal of how to mitigate this and be able to enter a pure nix-shell with a totally blank PATH.
• The most natural thing would seem to be to remove PATH from the list of kept vars. However, I'm mindful that this would break some scripts that rely on this behavior (perhaps without realizing it). I'm not sure what to do about that.
• For new scripts that want to pull in PATH, they could just append it manually via nix-shell --keep PATH. That is to say, it seems to be easier to pull in the PATH than to make sure it's not there.
• zimbatm makes a great point in this comment, which is that nix-shell is probably used in two ways: dropping into a failing build and debugging, and creating a dynamic profile to work on a source tree.

In summary, there are arguments in favor of keeping PATH in nix-shell --pure. If the maintainers decide that is the way they want to go, it should at least be thoroughly documented, and, I think, an alternative suggested for users who are looking to strictly control the binaries they execute in the shell. On the other hand, it would seem to be much easier to introduce the user's PATH than to eliminate it, and for that reason I advocate removing PATH from the list of env vars which are kept by default.

[johnbcoughlin]

I suspect this was due to something in `/.bashrc, which I've been changing a fair amount, because it's no longer occurring. If I get a chance, I will try to reproduce it again.