With #429797 merged, can you rebase this?

Rebased to include the cracklib changes.

Bashless kbd depends on legionus/kbd#138 and that's why I removed the disallowedRequisites commit.

An alternative would be to not directly depend on kbd in systemd. However I wouldn't know which path to use. /run/current-system/sw/bin doens't work as it's not available in the initrd.

Disabled compression in kbd now to get rid of bash. Fonts and keymaps are now stored uncompressed by default.

From the 899eb19700d40c124e5f30475323de0091f20755:

Increases the binary size by 2.3MiB. However, with the 9MiB saved
by removing the excessive dictionary from cracklib (#429797), this still
results in a net reduction of the mandatory closure size.

Once kbd allows using the compression libraries instead of shelling out
to the binaries (github.com/legionus/kbd#138) we can compress by
default again.

Add the package kbdCompressed for users that want to load custom
compressed fonts and keymaps. Alternatively, they can still uncompress
custom fonts and keymaps themselves and then call loadkeys/setfont on
it.

I'm really excited for this. Anything you need testing-wise, @nikstur?

I'm really excited for this. Anything you need testing-wise, @nikstur?

Awesome! Any of the normal systemd testing would be appreciated. I ran the lvm2-vdo tests already.

Probably makes sense to cherry-pick the changes onto master to not have to rebuild everything.

pkgsStatic.lvm2 now fails to build due to the disallowed requisite

$ rg bash /nix/store/7hm30llifnv7pn2sa3s5kmdc5myskxf5-lvm2-static-x86_64-unknown-linux-musl-2.03.33
/nix/store/7hm30llifnv7pn2sa3s5kmdc5myskxf5-lvm2-static-x86_64-unknown-linux-musl-2.03.33/nix-support/propagated-build-inputs
1:/nix/store/y14g6gck5jppfpw3b1cihg9irn5r0zf7-libaio-static-x86_64-unknown-linux-musl-0.3.113 /nix/store/6s9c1kcqm1nka0krnda028kb69l154ra-bash-interactive-static-x86_64-unknown-linux-musl-5.3p3-dev

Don't ask me why, but somehow bash leaks into propagated-build-inputs on static.

Every build input becomes a propagated build input on static — is that helpful?

Every build input becomes a propagated build input on static — is that helpful?

So this whole idea of moving scripts to a separate output doesn't work on static because bash will always be propagated because its in the buildInputs?

Is there a way to fix this (i.e. to ensure that bash isn't propagated)?

Hmm. There are other packages that just rm -f nix-support/propagated-build-inputs, which really is the right thing to do in any output that doesn't contain static libraries. Maybe that's the right thing to do here (for now)?

In the long term we can probably revisit this behaviour of pkgsStatic. We've talked before about encoding absolute paths to libraries in .pc files to create references. If we ever end up doing that I think we can drop this propagation hack once and for all, but that's a way off for now.

There are other packages that just rm -f nix-support/propagated-build-inputs, which really is the right thing to do in any output that doesn't contain static libraries.

libaio is a valid reference in propagated build inputs though. We can't just outright delete propagation, or else consumers of lvm2 will break.

imo, until we have a "good" fix (removing the wild propagation on static in favor of pkg-config tricks (#394607, #394610 ?), we should just not do the disallowed requisites check on static.

libaio is a valid reference in propagated build inputs though. We can't just outright delete propagation, or else consumers of lvm2 will break.

Right…

Fix is here: #435567

systemdUkify is another casualty, because Python depends on bash.