From 80f5b5c44e519615c5df14540ce029326f2e845f Mon Sep 17 00:00:00 2001
From: Florian Klink <flokli@flokli.de>
Date: Wed, 28 May 2025 17:25:32 +0300
Subject: [PATCH] docs(glue/snix_build): document why /nix/store is scratch

Even without nix/store in here, all output paths need to be write-able.

Change-Id: Ibeeba503844dee78de11fd2aa79b3ad207795059
Reviewed-on: https://cl.snix.dev/c/snix/+/30542
Tested-by: besadii
Autosubmit: Florian Klink <flokli@flokli.de>
Reviewed-by: Vova Kryachko <v.kryachko@gmail.com>
---
 snix/glue/src/snix_build.rs | 10 +++++++++-
 1 file changed, 9 insertions(+), 1 deletion(-)

diff --git a/snix/glue/src/snix_build.rs b/snix/glue/src/snix_build.rs
index bb74c6e9c..2f0442460 100644
--- a/snix/glue/src/snix_build.rs
+++ b/snix/glue/src/snix_build.rs
@@ -189,7 +189,15 @@ pub(crate) fn derivation_to_build_request(
         inputs_dir: nix_compat::store_path::STORE_DIR[1..].into(),
         constraints,
         working_dir: "build".into(),
-        scratch_paths: vec!["build".into(), "nix/store".into()],
+        scratch_paths: vec![
+            "build".into(),
+            // This is in here because Nix allows you to do
+            // `pkgs.runCommand "foo" {} "mkdir -p $out;touch /nix/store/aaaa"`
+            // (throwing away the /nix/store/aaaa post-build),
+            // not because it's a sane thing to do.
+            // FUTUREWORK: check if nothing exploits this.
+            "nix/store".into(),
+        ],
         additional_files: additional_files
             .into_iter()
             .map(|(path, contents)| AdditionalFile {