openssl: better check that withPerl=false prevents perl reference

[thomasjm]

Motivation for this change

This is a PR to fix #19965, making it possible to remove a large 50MB perl dependency from the closure of openssl.bin when using withPerl=false. The checks in openssl/default.nix weren't quite right before, and there was an unnecessarily restrictive assert preventing you from setting withPerl to false when not cross-compiling.

I wanted to do this so I could deploy nodejs-slim in a Docker container, without bringing in perl. I'll open a separate PR for that.

Things done

• Built on platform(s)
  • x86_64-linux
  • aarch64-linux
  • x86_64-darwin
  • aarch64-darwin
• For non-Linux: Is sandbox = true set in nix.conf? (See Nix manual)
• Tested, as applicable:
  • NixOS test(s) (look inside nixos/tests)
  • and/or package tests
  • or, for functions and "core" functionality, tests in lib/tests or pkgs/test
  • made sure NixOS tests are linked to the relevant packages
• Tested compilation of all packages that depend on this change using nix-shell -p nixpkgs-review --run "nixpkgs-review rev HEAD". Note: all changes have to be committed, also see nixpkgs-review usage
• Tested basic functionality of all binary files (usually in ./result/bin/)
• 22.05 Release Notes (or backporting 21.11 Release notes)
  • (Package updates) Added a release notes entry if the change is major or breaking
  • (Module updates) Added a release notes entry if the change is significant
  • (Module addition) Added a release notes entry if adding a new NixOS module
  • (Release notes changes) Ran nixos/doc/manual/md-to-db.sh to update generated release notes
• Fits CONTRIBUTING.md.

[veprbl]

So at this point I see

# head $(nix-build -E '((import ./. {}).openssl.override { withPerl = false; }).bin')/bin/c_rehash
#!/usr/bin/env perl

So there is no bug, other than the pesky assert (the withPerl option introduced in ef24a28 and immediately locked out for no apparent reason). We could just remove disallowedReferences and merge this to master.

[thomasjm]

Why not keep the disallowedReferences to keep this from regressing again? Looking at #19965 it seems like it has in the past.

[veprbl]

Why not keep the disallowedReferences to keep this from regressing again? Looking at #19965 it seems like it has in the past.

If the goal is to prevent dependency on buildPackages.perl spliced from the nativeBuildInputs, then it's probably need to be spelled out in disallowedReferences explicitly (not just perl) and unconditionally with respect to withPerl. At that point we might as well set strictDeps = true;.

[veprbl]

Also can we organize the two changes into separate commits (or even better, separate PRs)?

[thomasjm]

I only found a single passing reference to strictDeps in the nixpkgs manual which I don't fully understand, but happy to switch to it if you prefer. For now I just updated the disallowedReferences.