From f5d06d7932b2f36bb217d7006f9656df5e788e59 Mon Sep 17 00:00:00 2001
From: David McFarland <corngood@gmail.com>
Date: Sun, 8 Dec 2024 22:00:32 -0400
Subject: [PATCH 1/3] dotnet/wrapper: don't inherit meta from unwrapped

(cherry picked from commit 6e180e8e5c890b772c6170b347b7ee4a9ee869f2)
---
 pkgs/development/compilers/dotnet/wrapper.nix | 13 ++++++++++++-
 1 file changed, 12 insertions(+), 1 deletion(-)

diff --git a/pkgs/development/compilers/dotnet/wrapper.nix b/pkgs/development/compilers/dotnet/wrapper.nix
index fe09151fb8fea..90b520519f942 100644
--- a/pkgs/development/compilers/dotnet/wrapper.nix
+++ b/pkgs/development/compilers/dotnet/wrapper.nix
@@ -22,7 +22,18 @@
 type: unwrapped:
 stdenvNoCC.mkDerivation (finalAttrs: {
   pname = "${unwrapped.pname}-wrapped";
-  inherit (unwrapped) version meta;
+  inherit (unwrapped) version;
+
+  meta = {
+    description = "${unwrapped.meta.description or "dotnet"} (wrapper)";
+    mainProgram = "dotnet";
+    inherit (unwrapped.meta)
+      homepage
+      license
+      maintainers
+      platforms
+      ;
+  };
 
   src = unwrapped;
   dontUnpack = true;

From bd101820465e921f23912e76848df1345de47b5f Mon Sep 17 00:00:00 2001
From: David McFarland <corngood@gmail.com>
Date: Sun, 8 Dec 2024 22:05:47 -0400
Subject: [PATCH 2/3] dotnet/combine-packages: don't inherit meta from cli

(cherry picked from commit a5d767c91d7b7d1b3935cdea20ecfd9b762aae2b)
---
 .../development/compilers/dotnet/combine-packages.nix | 11 ++++++++++-
 1 file changed, 10 insertions(+), 1 deletion(-)

diff --git a/pkgs/development/compilers/dotnet/combine-packages.nix b/pkgs/development/compilers/dotnet/combine-packages.nix
index b745a40e878f6..6528fb3d56a1e 100644
--- a/pkgs/development/compilers/dotnet/combine-packages.nix
+++ b/pkgs/development/compilers/dotnet/combine-packages.nix
@@ -56,5 +56,14 @@ mkWrapper "sdk" (buildEnv {
     );
   };
 
-  inherit (cli) meta;
+  meta = {
+    description = "${cli.meta.description or "dotnet"} (combined)";
+    inherit (cli.meta)
+      homepage
+      license
+      mainProgram
+      maintainers
+      platforms
+      ;
+  };
 })

From d3297722a5abb2c6cd4beafd3ce767de4a166ca1 Mon Sep 17 00:00:00 2001
From: David McFarland <corngood@gmail.com>
Date: Tue, 10 Dec 2024 15:10:15 -0400
Subject: [PATCH 3/3] dotnet: force evaluation of sdk nuget packages

This causes evaluation of the nuget packages to fail when the SDK is
insecure, without requiring the individual packages to be permitted.

(cherry picked from commit e8df65937267c2bc06bc7c562410fae84f4d7329)
---
 .../compilers/dotnet/build-dotnet.nix         | 40 ++++++++++++-------
 1 file changed, 25 insertions(+), 15 deletions(-)

diff --git a/pkgs/development/compilers/dotnet/build-dotnet.nix b/pkgs/development/compilers/dotnet/build-dotnet.nix
index ede86ad04eb47..5a7418709aec2 100644
--- a/pkgs/development/compilers/dotnet/build-dotnet.nix
+++ b/pkgs/development/compilers/dotnet/build-dotnet.nix
@@ -98,7 +98,7 @@ let
 
 in
 mkWrapper type (
-  stdenv.mkDerivation rec {
+  stdenv.mkDerivation (finalAttrs: {
     inherit pname version;
 
     # Some of these dependencies are `dlopen()`ed.
@@ -194,19 +194,29 @@ mkWrapper type (
       {
         inherit icu hasILCompiler;
       }
-      // lib.optionalAttrs (type == "sdk") {
-        packages = commonPackages ++ hostPackages.${hostRid} ++ targetPackages.${targetRid};
-        inherit targetPackages runtime aspnetcore;
-
-        updateScript =
-          let
-            majorVersion = lib.concatStringsSep "." (lib.take 2 (lib.splitVersion version));
-          in
-          [
-            ./update.sh
-            majorVersion
-          ];
-      };
+      // lib.optionalAttrs (type == "sdk") (
+        let
+          # force evaluation of the SDK package to ensure evaluation failures
+          # (e.g. due to vulnerabilities) propagate to the nuget packages
+          forceSDKEval = builtins.seq finalAttrs.finalPackage.drvPath;
+        in
+        {
+          packages = map forceSDKEval (
+            commonPackages ++ hostPackages.${hostRid} ++ targetPackages.${targetRid}
+          );
+          targetPackages = lib.mapAttrs (_: map forceSDKEval) targetPackages;
+          inherit runtime aspnetcore;
+
+          updateScript =
+            let
+              majorVersion = lib.concatStringsSep "." (lib.take 2 (lib.splitVersion version));
+            in
+            [
+              ./update.sh
+              majorVersion
+            ];
+        }
+      );
 
     meta = with lib; {
       description = builtins.getAttr type descriptions;
@@ -239,5 +249,5 @@ mkWrapper type (
             "Dotnet SDK ${version} is EOL, please use 8.0 (LTS) or 9.0 (Current)"
           ];
     };
-  }
+  })
 )