Hey, I don't understand why a nix-store -qR --include-outputs on a deriver does not include the outputs of dependencies.
Could you help me understand what's happening and if that's the expected behavior?

Basically, the question is why does the last command not contains the output of bison (only the deriver)?

$ nix-instantiate --eval https://releases.nixos.org/nixos/25.11-small/nixos-25.11.8880.5a035534a428/nixexprs.tar.xz -A hello.drvPath --raw
/nix/store/0a8f9vx5sdwdx4a27axfkkjznj5navrq-hello-2.12.2.drv
$ nix-store -q -R --include-outputs /nix/store/0a8f9vx5sdwdx4a27axfkkjznj5navrq-hello-2.12.2.drv | grep bison
/nix/store/vgjfnqbxgxa8a5575bhq07nm35b2l31m-bison-3.8.2.tar.gz.drv
/nix/store/i7miyh7832lkyy229nipb5h6zg5n32rc-bison-3.8.2.drv

Does that even make sense to have a dependency on a deriver but not on its output?

I tried to write a small reproducer (with no dependencies on nixpkgs), but I failed to reproduce:

let
  system = "x86_64-linux";
  # just a basic C program that outputs whatever is in $myRefs env var to $out env var
  builder = ./basic_builder;
in rec {
  a = derivation {
    inherit system builder;
    name = "a";
  };
  b = derivation {
    inherit system builder;
    name = "b";
    myRefs = [ a ]; # $myRefs is written by the builder in the output (so they are run-time deps only?)
  };
  c = derivation {
    inherit system builder;
    name = "c";
    myFakeRefs = [ b ]; #myFakeRefs are not used by the builder, (so they are build-time deps only?)
  };
}

And I get that result:

$ nix-store -q -R --include-outputs "$(nix-instantiate --eval --raw -A c.drvPath)"
/nix/store/bdv4b4s9wryp2cd951x276z17s7v1pi3-basic_builder
/nix/store/1rai7c3259jzzc9qj8jbs0yfwk1c6amx-a.drv
/nix/store/c4f5rm2pchf5b1vri68rpa2in03rnlwg-a
/nix/store/whfq9h0h0blyawwq0nd1qnsyagzm3nli-b.drv
/nix/store/gfs6f7kxal5a52ikndfq8fvfpmx0vz08-c.drv
/nix/store/ircx9amlbg2wlxycrcnsv76cv95fx8g1-b
/nix/store/m6gaqy1fh5hkmlippb5cxjx4l6a7ha98-c

I think I figured it out raito, nix-store does not add what it does not have in its local store, after a GC of my a, b and c drvs and outputs:

$ nix-store -q -R --include-outputs "$(nix-instantiate --raw -A c --arg entropy '"asdf"')"
warning: you did not specify '--add-root'; the result might be removed by the garbage collector
/nix/store/bdv4b4s9wryp2cd951x276z17s7v1pi3-basic_builder
/nix/store/xdz4vb0mxqi9qdw277xbvcbgkq3hdlwc-a.drv
/nix/store/2xs04agqx8ky9rnrxpis7d8ykhd86l9v-b.drv
/nix/store/xnamzrlkfhg36l5hzpqbsj9ipra0114y-c.drv

I expected to be able to re-use nix-store -q to query the list of all dependencies (at build and runtime) without having to populate my local store.
I guess I will fall back to recursively parsing the .drvs by myself :)

I think I figured it out raito, nix-store does not add what it does not have in its local store, after a GC of my a, b and c drvs and outputs:

$ nix-store -q -R --include-outputs "$(nix-instantiate --raw -A c)"
warning: you did not specify '--add-root'; the result might be removed by the garbage collector
/nix/store/bdv4b4s9wryp2cd951x276z17s7v1pi3-basic_builder
/nix/store/xdz4vb0mxqi9qdw277xbvcbgkq3hdlwc-a.drv
/nix/store/2xs04agqx8ky9rnrxpis7d8ykhd86l9v-b.drv
/nix/store/xnamzrlkfhg36l5hzpqbsj9ipra0114y-c.drv

I expected to be able to re-use nix-store -q to query the list of all dependencies (at build and runtime) without having to populate my local store.
I guess I will fall back to recursively parsing the .drvs by myself :)

In reply to @jlamur:matrix.org
https://passt.top (edit: sorry I didn't mean to RTFM, I thought you just asked for a link)

In reply to @blokyk:matrix.org
(basically, if i understand correctly: on linux, it allows giving as much flexibility as possible to derivations that use the network (normally only fixed-output derivations), by putting them in "user namespaces" (a similar mechanism to how isolation works for containers). without pasta, you'd need to run a larger chunk of the network- and isolation-managing code as root, extending the attack surface (and generally making things messier and harder to maintain))