opam: fix opam sandboxing on nixos

[eilvelia]

Before this commit, executing opam init would display that sandboxing fails with "bwrap: execvp sh: No such file or directory". makeWrapper with --set OPAM_USER_PATH_RO /run/current-system/sw/bin:/nix/ had been used here to fix that, however, OPAM_USER_PATH_RO has been removed since 2021: ocaml/opam@9b6370d (released as opam 2.2.0 in 2024)

This also fixes a funny bug which caused the changelog link to be broken because of with lib:

meta = with lib; {                                                   
  description = "Package manager for OCaml";                         
  homepage = "https://opam.ocaml.org/";                              
  changelog = "https://github.com/ocaml/opam/raw/${version}/CHANGES";
  maintainers = [ ];                                                 
  license = licenses.lgpl21Only;                                     
  platforms = platforms.all;                                         
};                                                                   

It uses meta = with lib;; at the same time, the derivation's attrset is not rec, and ${version} ends to be lib.version.

cc @kit-ty-kate

Things done

• Built on platform(s)
  • x86_64-linux
  • aarch64-linux
  • x86_64-darwin
  • aarch64-darwin
• For non-Linux: Is sandboxing enabled in nix.conf? (See Nix manual)
  • sandbox = relaxed
  • sandbox = true
• Tested, as applicable:
  • NixOS test(s) (look inside nixos/tests)
  • and/or package tests
  • or, for functions and "core" functionality, tests in lib/tests or pkgs/test
  • made sure NixOS tests are linked to the relevant packages
• Tested compilation of all packages that depend on this change using nix-shell -p nixpkgs-review --run "nixpkgs-review rev HEAD". Note: all changes have to be committed, also see nixpkgs-review usage
• Tested basic functionality of all binary files (usually in ./result/bin/)
• 25.05 Release Notes (or backporting 24.11 and 25.05 Release notes)
  • (Package updates) Added a release notes entry if the change is major or breaking
  • (Module updates) Added a release notes entry if the change is significant
  • (Module addition) Added a release notes entry if adding a new NixOS module
• Fits CONTRIBUTING.md.

---

Add a 👍 reaction to pull requests you find important.

[eilvelia]

nixpkgs-review result

Generated using nixpkgs-review.

Command: nixpkgs-review pr 363770

---

x86_64-linux

✅ 3 packages built:

• dune-release
• opam
• opam.installer

[kit-ty-kate]

i'm no nixos expert but from afar it looks reasonable

[kit-ty-kate]

I've opened a PR upstream fixing this issue: ocaml/opam#6333
If you think this is the correct fix it will be part of the upcoming opam 2.4.

[nixos-discourse]

This pull request has been mentioned on NixOS Discourse. There might be relevant details there:

https://discourse.nixos.org/t/prs-ready-for-review/3032/5027

[thiagokokada]

nixpkgs-review result

Generated using nixpkgs-review.

Command: nixpkgs-review pr 363770

---

x86_64-linux

✅ 3 packages built:

• dune-release
• opam
• opam.installer

[eilvelia]

(The ofborg failure does not look related to this.)

[GaetanLepage]

nixpkgs-review result

Generated using nixpkgs-review.

Command: nixpkgs-review pr 363770

---

x86_64-linux

✅ 3 packages built:

• dune-release
• opam
• opam.installer

---

aarch64-linux

✅ 3 packages built:

• dune-release
• opam
• opam.installer

---

x86_64-darwin

✅ 3 packages built:

• dune-release
• opam
• opam.installer

---

aarch64-darwin

✅ 3 packages built:

• dune-release
• opam
• opam.installer

[GaetanLepage]

LGTM

[nixpkgs-ci]

Successfully created backport PR for release-24.11:

• [Backport release-24.11] opam: fix opam sandboxing on nixos #372586