2017-12-25 17:38:45 +00:00
|
|
|
|
# Checks derivation meta and attrs for problems (like brokenness,
|
|
|
|
|
# licenses, etc).
|
2017-07-02 12:52:14 +01:00
|
|
|
|
|
lib, stdenv: Check `meta.platforms` against host platform and be open world
First, we need check against the host platform, not the build platform.
That's simple enough.
Second, we move away from exahustive finite case analysis (i.e.
exhaustively listing all platforms the package builds on). That only
work in a closed-world setting, where we know all platforms we might
build one. But with cross compilation, we may be building for arbitrary
platforms, So we need fancier filters. This is the closed world to open
world change.
The solution is instead of having a list of systems (strings in the form
"foo-bar"), we have a list of of systems or "patterns", i.e. attributes
that partially match the output of the parsers in `lib.systems.parse`.
The "check meta" logic treats the systems strings as an exact whitelist
just as before, but treats the patterns as a fuzzy whitelist,
intersecting the actual `hostPlatform` with the pattern and then
checking for equality. (This is done using `matchAttrs`).
The default convenience lists for `meta.platforms` are now changed to be
lists of patterns (usually a single pattern) in
`lib/systems/for-meta.nix` for maximum flexibility under this new
system.
Fixes #30902
2018-01-31 05:11:03 +00:00
|
|
|
|
{ lib, config, hostPlatform, meta }:
|
2017-07-02 12:52:14 +01:00
|
|
|
|
|
|
|
|
|
let
|
|
|
|
|
# See discussion at https://github.com/NixOS/nixpkgs/pull/25304#issuecomment-298385426
|
|
|
|
|
# for why this defaults to false, but I (@copumpkin) want to default it to true soon.
|
|
|
|
|
shouldCheckMeta = config.checkMeta or false;
|
|
|
|
|
|
2018-04-17 21:02:50 +01:00
|
|
|
|
allowUnfree = config.allowUnfree or false
|
|
|
|
|
|| builtins.getEnv "NIXPKGS_ALLOW_UNFREE" == "1";
|
2017-07-02 12:52:14 +01:00
|
|
|
|
|
|
|
|
|
whitelist = config.whitelistedLicenses or [];
|
|
|
|
|
blacklist = config.blacklistedLicenses or [];
|
|
|
|
|
|
|
|
|
|
onlyLicenses = list:
|
|
|
|
|
lib.lists.all (license:
|
|
|
|
|
let l = lib.licenses.${license.shortName or "BROKEN"} or false; in
|
|
|
|
|
if license == l then true else
|
|
|
|
|
throw ''‘${showLicense license}’ is not an attribute of lib.licenses''
|
|
|
|
|
) list;
|
|
|
|
|
|
|
|
|
|
areLicenseListsValid =
|
|
|
|
|
if lib.mutuallyExclusive whitelist blacklist then
|
|
|
|
|
assert onlyLicenses whitelist; assert onlyLicenses blacklist; true
|
|
|
|
|
else
|
|
|
|
|
throw "whitelistedLicenses and blacklistedLicenses are not mutually exclusive.";
|
|
|
|
|
|
|
|
|
|
hasLicense = attrs:
|
|
|
|
|
attrs ? meta.license;
|
|
|
|
|
|
|
|
|
|
hasWhitelistedLicense = assert areLicenseListsValid; attrs:
|
|
|
|
|
hasLicense attrs && builtins.elem attrs.meta.license whitelist;
|
|
|
|
|
|
|
|
|
|
hasBlacklistedLicense = assert areLicenseListsValid; attrs:
|
|
|
|
|
hasLicense attrs && builtins.elem attrs.meta.license blacklist;
|
|
|
|
|
|
2018-04-17 21:02:50 +01:00
|
|
|
|
allowBroken = config.allowBroken or false
|
|
|
|
|
|| builtins.getEnv "NIXPKGS_ALLOW_BROKEN" == "1";
|
2017-07-02 12:52:14 +01:00
|
|
|
|
|
2018-04-17 21:02:50 +01:00
|
|
|
|
allowUnsupportedSystem = config.allowUnsupportedSystem or false
|
|
|
|
|
|| builtins.getEnv "NIXPKGS_ALLOW_UNSUPPORTED_SYSTEM" == "1";
|
2017-05-20 17:44:20 +01:00
|
|
|
|
|
2018-09-23 17:45:03 +01:00
|
|
|
|
isUnfree = licenses: lib.lists.any (l: !l.free or true) licenses;
|
2017-07-02 12:52:14 +01:00
|
|
|
|
|
|
|
|
|
# Alow granular checks to allow only some unfree packages
|
|
|
|
|
# Example:
|
|
|
|
|
# {pkgs, ...}:
|
|
|
|
|
# {
|
|
|
|
|
# allowUnfree = false;
|
|
|
|
|
# allowUnfreePredicate = (x: pkgs.lib.hasPrefix "flashplayer-" x.name);
|
|
|
|
|
# }
|
|
|
|
|
allowUnfreePredicate = config.allowUnfreePredicate or (x: false);
|
|
|
|
|
|
|
|
|
|
# Check whether unfree packages are allowed and if not, whether the
|
|
|
|
|
# package has an unfree license and is not explicitely allowed by the
|
2018-09-23 17:45:03 +01:00
|
|
|
|
# `allowUnfreePredicate` function.
|
2017-07-02 12:52:14 +01:00
|
|
|
|
hasDeniedUnfreeLicense = attrs:
|
|
|
|
|
!allowUnfree &&
|
|
|
|
|
hasLicense attrs &&
|
|
|
|
|
isUnfree (lib.lists.toList attrs.meta.license) &&
|
|
|
|
|
!allowUnfreePredicate attrs;
|
|
|
|
|
|
|
|
|
|
allowInsecureDefaultPredicate = x: builtins.elem x.name (config.permittedInsecurePackages or []);
|
2017-12-09 20:36:48 +00:00
|
|
|
|
allowInsecurePredicate = x: (config.allowInsecurePredicate or allowInsecureDefaultPredicate) x;
|
2017-07-02 12:52:14 +01:00
|
|
|
|
|
|
|
|
|
hasAllowedInsecure = attrs:
|
|
|
|
|
(attrs.meta.knownVulnerabilities or []) == [] ||
|
|
|
|
|
allowInsecurePredicate attrs ||
|
|
|
|
|
builtins.getEnv "NIXPKGS_ALLOW_INSECURE" == "1";
|
|
|
|
|
|
|
|
|
|
showLicense = license: license.shortName or "unknown";
|
|
|
|
|
|
|
|
|
|
pos_str = meta.position or "«unknown-file»";
|
|
|
|
|
|
|
|
|
|
remediation = {
|
|
|
|
|
unfree = remediate_whitelist "Unfree";
|
|
|
|
|
broken = remediate_whitelist "Broken";
|
2018-04-09 11:23:31 +01:00
|
|
|
|
unsupported = remediate_whitelist "UnsupportedSystem";
|
2017-07-02 12:52:14 +01:00
|
|
|
|
blacklisted = x: "";
|
|
|
|
|
insecure = remediate_insecure;
|
2018-09-18 14:30:59 +01:00
|
|
|
|
broken-outputs = remediateOutputsToInstall;
|
2017-07-02 12:52:14 +01:00
|
|
|
|
unknown-meta = x: "";
|
|
|
|
|
};
|
|
|
|
|
remediate_whitelist = allow_attr: attrs:
|
|
|
|
|
''
|
|
|
|
|
a) For `nixos-rebuild` you can set
|
|
|
|
|
{ nixpkgs.config.allow${allow_attr} = true; }
|
|
|
|
|
in configuration.nix to override this.
|
|
|
|
|
|
|
|
|
|
b) For `nix-env`, `nix-build`, `nix-shell` or any other Nix command you can add
|
|
|
|
|
{ allow${allow_attr} = true; }
|
|
|
|
|
to ~/.config/nixpkgs/config.nix.
|
|
|
|
|
'';
|
|
|
|
|
|
|
|
|
|
remediate_insecure = attrs:
|
|
|
|
|
''
|
|
|
|
|
|
|
|
|
|
Known issues:
|
2018-02-10 21:47:05 +00:00
|
|
|
|
'' + (lib.concatStrings (map (issue: " - ${issue}\n") attrs.meta.knownVulnerabilities)) + ''
|
2017-07-02 12:52:14 +01:00
|
|
|
|
|
|
|
|
|
You can install it anyway by whitelisting this package, using the
|
|
|
|
|
following methods:
|
|
|
|
|
|
|
|
|
|
a) for `nixos-rebuild` you can add ‘${attrs.name or "«name-missing»"}’ to
|
|
|
|
|
`nixpkgs.config.permittedInsecurePackages` in the configuration.nix,
|
|
|
|
|
like so:
|
|
|
|
|
|
|
|
|
|
{
|
|
|
|
|
nixpkgs.config.permittedInsecurePackages = [
|
|
|
|
|
"${attrs.name or "«name-missing»"}"
|
|
|
|
|
];
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
b) For `nix-env`, `nix-build`, `nix-shell` or any other Nix command you can add
|
|
|
|
|
‘${attrs.name or "«name-missing»"}’ to `permittedInsecurePackages` in
|
|
|
|
|
~/.config/nixpkgs/config.nix, like so:
|
|
|
|
|
|
|
|
|
|
{
|
|
|
|
|
permittedInsecurePackages = [
|
|
|
|
|
"${attrs.name or "«name-missing»"}"
|
|
|
|
|
];
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
'';
|
|
|
|
|
|
2018-09-18 14:30:59 +01:00
|
|
|
|
remediateOutputsToInstall = attrs: let
|
|
|
|
|
expectedOutputs = attrs.meta.outputsToInstall or [];
|
|
|
|
|
actualOutputs = attrs.outputs or [ "out" ];
|
|
|
|
|
missingOutputs = builtins.filter (output: ! builtins.elem output actualOutputs) expectedOutputs;
|
|
|
|
|
in ''
|
|
|
|
|
The package ${attrs.name} has set meta.outputsToInstall to: ${builtins.concatStringsSep ", " expectedOutputs}
|
|
|
|
|
|
|
|
|
|
however ${attrs.name} only has the outputs: ${builtins.concatStringsSep ", " actualOutputs}
|
|
|
|
|
|
|
|
|
|
and is missing the following ouputs:
|
|
|
|
|
|
|
|
|
|
${lib.concatStrings (builtins.map (output: " - ${output}\n") missingOutputs)}
|
|
|
|
|
'';
|
|
|
|
|
|
2018-01-31 03:10:34 +00:00
|
|
|
|
handleEvalIssue = attrs: { reason , errormsg ? "" }:
|
2017-12-12 23:06:55 +00:00
|
|
|
|
let
|
|
|
|
|
msg = ''
|
|
|
|
|
Package ‘${attrs.name or "«name-missing»"}’ in ${pos_str} ${errormsg}, refusing to evaluate.
|
|
|
|
|
|
|
|
|
|
'' + (builtins.getAttr reason remediation) attrs;
|
|
|
|
|
|
|
|
|
|
handler = if config ? "handleEvalIssue"
|
|
|
|
|
then config.handleEvalIssue reason
|
|
|
|
|
else throw;
|
|
|
|
|
in handler msg;
|
2017-07-02 12:52:14 +01:00
|
|
|
|
|
|
|
|
|
|
|
|
|
|
metaTypes = with lib.types; rec {
|
|
|
|
|
# These keys are documented
|
|
|
|
|
description = str;
|
|
|
|
|
longDescription = str;
|
|
|
|
|
branch = str;
|
2017-12-05 11:57:11 +00:00
|
|
|
|
homepage = either (listOf str) str;
|
2017-07-02 12:52:14 +01:00
|
|
|
|
downloadPage = str;
|
|
|
|
|
license = either (listOf lib.types.attrs) (either lib.types.attrs str);
|
2018-03-04 03:18:28 +00:00
|
|
|
|
maintainers = listOf (attrsOf str);
|
2017-07-02 12:52:14 +01:00
|
|
|
|
priority = int;
|
2018-04-05 20:22:45 +01:00
|
|
|
|
platforms = listOf (either str lib.systems.parsedPlatform.types.system);
|
2017-07-02 12:52:14 +01:00
|
|
|
|
hydraPlatforms = listOf str;
|
|
|
|
|
broken = bool;
|
dovecot, opensmtpd: add link to test in `meta.tests`
Rationale
---------
Currently, tests are hard to discover. For instance, someone updating
`dovecot` might not notice that the interaction of `dovecot` with
`opensmtpd` is handled in the `opensmtpd.nix` test.
And even for someone updating `opensmtpd`, it requires manual work to go
check in `nixos/tests` whether there is actually a test, especially
given not so many packages in `nixpkgs` have tests and this is thus most
of the time useless.
Finally, for the reviewer, it is much easier to check that the “Tested
via one or more NixOS test(s)” has been checked if the file modified
already includes the list of relevant tests.
Implementation
--------------
Currently, this commit only adds the metadata in the package. Each
element of the `meta.tests` attribute is a derivation that, when it
builds successfully, means the test has passed (ie. following the same
convention as NixOS tests).
Future Work
-----------
In the future, the tools could be made aware of this `meta.tests`
attribute, and for instance a `--with-tests` could be added to
`nix-build` so that it also builds all the tests. Or a `--without-tests`
to build without all the tests. @Profpatsch described in his NixCon talk
such systems.
Another thing that would help in the future would be the possibility to
reasonably easily have cross-derivation nix tests without the whole
NixOS VM stack. @7c6f434c already proposed such a system.
This RFC currently handles none of these concerns. Only the addition of
`meta.tests` as metadata to be used by maintainers to remember to run
relevant tests.
2018-08-04 04:18:28 +01:00
|
|
|
|
# TODO: refactor once something like Profpatsch's types-simple will land
|
|
|
|
|
tests = attrsOf (mkOptionType {
|
|
|
|
|
name = "test";
|
2018-11-11 11:30:07 +00:00
|
|
|
|
check = x: x == {} || ( # Accept {} for tests that are unsupported
|
|
|
|
|
isDerivation x &&
|
dovecot, opensmtpd: add link to test in `meta.tests`
Rationale
---------
Currently, tests are hard to discover. For instance, someone updating
`dovecot` might not notice that the interaction of `dovecot` with
`opensmtpd` is handled in the `opensmtpd.nix` test.
And even for someone updating `opensmtpd`, it requires manual work to go
check in `nixos/tests` whether there is actually a test, especially
given not so many packages in `nixpkgs` have tests and this is thus most
of the time useless.
Finally, for the reviewer, it is much easier to check that the “Tested
via one or more NixOS test(s)” has been checked if the file modified
already includes the list of relevant tests.
Implementation
--------------
Currently, this commit only adds the metadata in the package. Each
element of the `meta.tests` attribute is a derivation that, when it
builds successfully, means the test has passed (ie. following the same
convention as NixOS tests).
Future Work
-----------
In the future, the tools could be made aware of this `meta.tests`
attribute, and for instance a `--with-tests` could be added to
`nix-build` so that it also builds all the tests. Or a `--without-tests`
to build without all the tests. @Profpatsch described in his NixCon talk
such systems.
Another thing that would help in the future would be the possibility to
reasonably easily have cross-derivation nix tests without the whole
NixOS VM stack. @7c6f434c already proposed such a system.
This RFC currently handles none of these concerns. Only the addition of
`meta.tests` as metadata to be used by maintainers to remember to run
relevant tests.
2018-08-04 04:18:28 +01:00
|
|
|
|
x ? meta.timeout &&
|
2018-11-11 11:30:07 +00:00
|
|
|
|
x ? meta.needsVMSupport
|
|
|
|
|
);
|
dovecot, opensmtpd: add link to test in `meta.tests`
Rationale
---------
Currently, tests are hard to discover. For instance, someone updating
`dovecot` might not notice that the interaction of `dovecot` with
`opensmtpd` is handled in the `opensmtpd.nix` test.
And even for someone updating `opensmtpd`, it requires manual work to go
check in `nixos/tests` whether there is actually a test, especially
given not so many packages in `nixpkgs` have tests and this is thus most
of the time useless.
Finally, for the reviewer, it is much easier to check that the “Tested
via one or more NixOS test(s)” has been checked if the file modified
already includes the list of relevant tests.
Implementation
--------------
Currently, this commit only adds the metadata in the package. Each
element of the `meta.tests` attribute is a derivation that, when it
builds successfully, means the test has passed (ie. following the same
convention as NixOS tests).
Future Work
-----------
In the future, the tools could be made aware of this `meta.tests`
attribute, and for instance a `--with-tests` could be added to
`nix-build` so that it also builds all the tests. Or a `--without-tests`
to build without all the tests. @Profpatsch described in his NixCon talk
such systems.
Another thing that would help in the future would be the possibility to
reasonably easily have cross-derivation nix tests without the whole
NixOS VM stack. @7c6f434c already proposed such a system.
This RFC currently handles none of these concerns. Only the addition of
`meta.tests` as metadata to be used by maintainers to remember to run
relevant tests.
2018-08-04 04:18:28 +01:00
|
|
|
|
merge = lib.options.mergeOneOption;
|
|
|
|
|
});
|
|
|
|
|
needsVMSupport = bool;
|
|
|
|
|
timeout = int;
|
2017-07-02 12:52:14 +01:00
|
|
|
|
|
|
|
|
|
# Weirder stuff that doesn't appear in the documentation?
|
2017-12-14 12:36:26 +00:00
|
|
|
|
knownVulnerabilities = listOf str;
|
2018-01-03 15:22:35 +00:00
|
|
|
|
name = str;
|
2017-07-02 12:52:14 +01:00
|
|
|
|
version = str;
|
|
|
|
|
tag = str;
|
|
|
|
|
updateWalker = bool;
|
|
|
|
|
executables = listOf str;
|
|
|
|
|
outputsToInstall = listOf str;
|
|
|
|
|
position = str;
|
2018-02-17 18:44:23 +00:00
|
|
|
|
available = bool;
|
2017-07-02 12:52:14 +01:00
|
|
|
|
repositories = attrsOf str;
|
|
|
|
|
isBuildPythonPackage = platforms;
|
2018-01-09 13:25:24 +00:00
|
|
|
|
schedulingPriority = int;
|
2017-07-02 12:52:14 +01:00
|
|
|
|
downloadURLRegexp = str;
|
|
|
|
|
isFcitxEngine = bool;
|
|
|
|
|
isIbusEngine = bool;
|
2017-12-05 11:57:11 +00:00
|
|
|
|
isGutenprint = bool;
|
2018-03-27 13:12:14 +01:00
|
|
|
|
badPlatforms = platforms;
|
2017-07-02 12:52:14 +01:00
|
|
|
|
};
|
|
|
|
|
|
|
|
|
|
checkMetaAttr = k: v:
|
|
|
|
|
if metaTypes?${k} then
|
2017-12-05 11:55:48 +00:00
|
|
|
|
if metaTypes.${k}.check v then null else "key '${k}' has a value ${toString v} of an invalid type ${builtins.typeOf v}; expected ${metaTypes.${k}.description}"
|
2017-07-02 12:52:14 +01:00
|
|
|
|
else "key '${k}' is unrecognized; expected one of: \n\t [${lib.concatMapStringsSep ", " (x: "'${x}'") (lib.attrNames metaTypes)}]";
|
|
|
|
|
checkMeta = meta: if shouldCheckMeta then lib.remove null (lib.mapAttrsToList checkMetaAttr meta) else [];
|
|
|
|
|
|
2018-03-27 16:42:51 +01:00
|
|
|
|
checkPlatform = attrs: let
|
|
|
|
|
anyMatch = lib.any (lib.meta.platformMatch hostPlatform);
|
|
|
|
|
in anyMatch (attrs.meta.platforms or lib.platforms.all) &&
|
|
|
|
|
! anyMatch (attrs.meta.badPlatforms or []);
|
lib, stdenv: Check `meta.platforms` against host platform and be open world
First, we need check against the host platform, not the build platform.
That's simple enough.
Second, we move away from exahustive finite case analysis (i.e.
exhaustively listing all platforms the package builds on). That only
work in a closed-world setting, where we know all platforms we might
build one. But with cross compilation, we may be building for arbitrary
platforms, So we need fancier filters. This is the closed world to open
world change.
The solution is instead of having a list of systems (strings in the form
"foo-bar"), we have a list of of systems or "patterns", i.e. attributes
that partially match the output of the parsers in `lib.systems.parse`.
The "check meta" logic treats the systems strings as an exact whitelist
just as before, but treats the patterns as a fuzzy whitelist,
intersecting the actual `hostPlatform` with the pattern and then
checking for equality. (This is done using `matchAttrs`).
The default convenience lists for `meta.platforms` are now changed to be
lists of patterns (usually a single pattern) in
`lib/systems/for-meta.nix` for maximum flexibility under this new
system.
Fixes #30902
2018-01-31 05:11:03 +00:00
|
|
|
|
|
2018-09-18 14:30:59 +01:00
|
|
|
|
checkOutputsToInstall = attrs: let
|
|
|
|
|
expectedOutputs = attrs.meta.outputsToInstall or [];
|
|
|
|
|
actualOutputs = attrs.outputs or [ "out" ];
|
|
|
|
|
missingOutputs = builtins.filter (output: ! builtins.elem output actualOutputs) expectedOutputs;
|
|
|
|
|
in if shouldCheckMeta
|
|
|
|
|
then builtins.length missingOutputs > 0
|
|
|
|
|
else false;
|
|
|
|
|
|
2017-07-02 12:52:14 +01:00
|
|
|
|
# Check if a derivation is valid, that is whether it passes checks for
|
|
|
|
|
# e.g brokenness or license.
|
|
|
|
|
#
|
|
|
|
|
# Return { valid: Bool } and additionally
|
|
|
|
|
# { reason: String; errormsg: String } if it is not valid, where
|
|
|
|
|
# reason is one of "unfree", "blacklisted" or "broken".
|
|
|
|
|
checkValidity = attrs:
|
|
|
|
|
if hasDeniedUnfreeLicense attrs && !(hasWhitelistedLicense attrs) then
|
|
|
|
|
{ valid = false; reason = "unfree"; errormsg = "has an unfree license (‘${showLicense attrs.meta.license}’)"; }
|
|
|
|
|
else if hasBlacklistedLicense attrs then
|
|
|
|
|
{ valid = false; reason = "blacklisted"; errormsg = "has a blacklisted license (‘${showLicense attrs.meta.license}’)"; }
|
|
|
|
|
else if !allowBroken && attrs.meta.broken or false then
|
|
|
|
|
{ valid = false; reason = "broken"; errormsg = "is marked as broken"; }
|
2018-04-09 11:23:31 +01:00
|
|
|
|
else if !allowUnsupportedSystem && !(checkPlatform attrs) then
|
|
|
|
|
{ valid = false; reason = "unsupported"; errormsg = "is not supported on ‘${hostPlatform.config}’"; }
|
2017-07-02 12:52:14 +01:00
|
|
|
|
else if !(hasAllowedInsecure attrs) then
|
|
|
|
|
{ valid = false; reason = "insecure"; errormsg = "is marked as insecure"; }
|
2018-09-18 14:30:59 +01:00
|
|
|
|
else if checkOutputsToInstall attrs then
|
|
|
|
|
{ valid = false; reason = "broken-outputs"; errormsg = "has invalid meta.outputsToInstall"; }
|
2017-07-02 12:52:14 +01:00
|
|
|
|
else let res = checkMeta (attrs.meta or {}); in if res != [] then
|
|
|
|
|
{ valid = false; reason = "unknown-meta"; errormsg = "has an invalid meta attrset:${lib.concatMapStrings (x: "\n\t - " + x) res}"; }
|
|
|
|
|
else { valid = true; };
|
|
|
|
|
|
2018-01-31 03:10:34 +00:00
|
|
|
|
assertValidity = attrs: let
|
|
|
|
|
validity = checkValidity attrs;
|
|
|
|
|
in validity // {
|
|
|
|
|
# Throw an error if trying to evaluate an non-valid derivation
|
|
|
|
|
handled = if !validity.valid
|
|
|
|
|
then handleEvalIssue attrs (removeAttrs validity ["valid"])
|
|
|
|
|
else true;
|
|
|
|
|
};
|
2017-12-25 17:38:45 +00:00
|
|
|
|
|
2018-01-31 03:10:34 +00:00
|
|
|
|
in assertValidity
|