Aside from the complexity of the implementation how much do you expect to gain from such a change? What the rebuild decrease would you call a net benefit for that? 2x? 10x? 100x rebuild speedup?
Let’s imagine we can isolate liblzma. What would it take to rebuild packages against new liblzma outside stdenv. My silly grep against currently running systems reveals the following direct users of the library:
$ fgrep -Rl liblzma.so $(nix path-info -r /run/current-system) 2>/dev/null | tr '/' ' ' | awk '{print $3}' | uniq
yyqzw7xvsrn3h2zrvincbs1b291yzx8c-xz-5.6.1
0v0wrr6ngh9d487lhwicwr5z61kz40zw-kmod-31
b4hxc9cg3700ac8p50gcj6hrcp17f9c3-kmod-31-lib
s2d4y6k2lanq8v8vg3skaxhmdflv12px-elfutils-0.190
2zvi5q6fvrmznavnqgzc947wssilv9vy-xz-5.6.1-bin
3np3qw5y5xarl4hxbhk9vj2d5kmgqsir-systemd-255.2
n5r9q9hxnbk168ps5kgxz7c2b8ym63pn-xz-5.6.1
bd2rgypp76p9mh7cc8152v57ckcpa92n-elfutils-0.190
mpbhjn9188gjgfj33nciif90x1zrz2zk-libunwind-1.8.1
plxvn2qhfa298rvwnazflvf1a8can4ih-libarchive-3.7.2-lib
dgbkx58nibgmav24mdaa1kxp634c3bym-xz-5.6.1-bin
g1af0mi9dnhpzw569zh50hw99661bhkv-python3-3.11.8
0xyqy6xlhgc63skigila2s5ifbhqqy0d-squashfs-4.6.1
n351xy2dk3m93s66flf993fhdzhznrn1-libtiff-4.6.0
1bwr5a2jinva4m5rzrbbhbzxpdbl1bk8-rizin-0.7.2
7wz6hm9i8wljz0hgwz1wqmn2zlbgavrq-python3-3.11.8
1spv5a8yi21zvi5mc7d0nfc46r79fnh4-ffmpeg-headless-6.1.1-lib
v7myppkzzsqvbl8230kld6z6g7dxshq9-libunwind-1.8.1
95zlvlyij0lxrlvsp1kgln58wxmjhr0s-karchive-5.115.0
zpafyxg75x3giyimh0c377sgwyypbyql-libtiff-4.6.0-bin
2sg8lk8k6ddvmj5nps2c213nkvhjlymq-ffmpeg-headless-6.1.1-lib
acbnmbypm3chs3ich1x99if4z0wnvr23-ffmpeg-6.1.1-lib
a6kpglzpj6nan8bxfjiqfcvvzqi2sgb2-kmod-31-lib
cs7zpcypgdvn2pjl98sph7m4dclj1cf3-kmod-31
3h0ikvb7jcfmqd1gz9is9ln7zsf526ah-systemd-255.2
4ifz2p14l5zivj6nc8l9s28kwq1cnz9w-xz-5.6.1-doc
fw6ws2d0assaiidcvlaahraa1pavgcfj-rpm-4.18.1
c57hvlkji0waj4zq0yxv1dfdw438rjmm-libxmlb-0.3.15-lib
npvqxns3miwkryagf4clrlldxbs649i0-libarchive-3.7.2
yvsxjd4zm7dkgl97d8vksinsdbhshnf6-python3-3.11.8-env
9hk7mrhmjfncx9aabrx7c9x393zqpm8r-boost-1.81.0
sl3h5z7q1ii0vbm3329iiz2vk59ywrrj-source
i1kn97pqkhg00glv080rla291wf05bzf-expose-flakes-inputs
ir3hy542khqxakcyb3d3b7pjq61g96qd-perf-linux-6.8.2
ha08hi6c7ak2iv682vapycr91h4cvk0s-libtiff-4.6.0
xlyfsi4v0kn8cy8lzdblp8rgp237586p-ffmpeg-6.1.1-lib
mpqmb9lv0i804vm2yi58h0w4ddnn3gzr-python3-3.11.8
d5i2w6dwgpcwhza8ywnd273jnvyvq58w-libarchive-3.7.2-lib
jwmiqziglj42a3a357cjd8vwp4rn7l7z-python3-3.11.8
6yb3nkk9jc8gd4fwigi8ipxv3wydyk95-ffmpeg-4.4.4-lib
y7bx3zmi7s06aifbn5wb8pk6q9ik3nx5-gdb-14.1
asn5nzbf4rs4mgbbgg8llqrnrmvxgnbi-python3-3.11.8-env
42yf6sfapwip0wbsph9giig6gqr99088-system-path
wismz59j4g8fbxc1zkkx9x3nz5kpp300-systemd
They all better be updated if we update a vulnerable library, right?
To simulate liblzma update I tweaked each package individually locally to change their output hash and ran $ ./maintainers/scripts/rebuild-amount.sh HEAD^ to get the rebuild counts in nixpkgs:
Most popular are:
-
elfutils:36058 x86_64-linuxrebuilds -
libunwind:7790 x86_64-linux -
python:66773 x86_64-linux -
libxml2:50197 x86_64-linux
python rebuild is probably a full nixpkgs rebuild.
Looking at the numbers above I would say it’s not worth the complexity of fiddling with xz outputs. We will rebuild most things anyway. Even if xz was not in stdenv. It’s used enough outside.
Note that there are more libraries (like pcre2) that cause stdenv rebuild. I don’t think holding those back just for stdenv will be any benefit rebuild-wise either.