mirror of
https://github.com/SebastianWendel/nixpkgs.git
synced 2024-09-20 04:19:00 +02:00
add mechanism for handling meta.sourceProvenance attributes
heavily based on patterns used by licenses infrastructure, so may appear overengineered for its initial level of use
This commit is contained in:
parent
93e6a4b607
commit
da9162f667
|
@ -36,6 +36,7 @@ let
|
||||||
|
|
||||||
# constants
|
# constants
|
||||||
licenses = callLibs ./licenses.nix;
|
licenses = callLibs ./licenses.nix;
|
||||||
|
sourceTypes = callLibs ./source-types.nix;
|
||||||
systems = callLibs ./systems;
|
systems = callLibs ./systems;
|
||||||
|
|
||||||
# serialization
|
# serialization
|
||||||
|
|
25
lib/source-types.nix
Normal file
25
lib/source-types.nix
Normal file
|
@ -0,0 +1,25 @@
|
||||||
|
{ lib }:
|
||||||
|
|
||||||
|
lib.mapAttrs (tname: tset: let
|
||||||
|
defaultSourceType = {
|
||||||
|
shortName = tname;
|
||||||
|
isSource = false;
|
||||||
|
};
|
||||||
|
|
||||||
|
mkSourceType = sourceTypeDeclaration: let
|
||||||
|
applyDefaults = sourceType: defaultSourceType // sourceType;
|
||||||
|
in lib.pipe sourceTypeDeclaration [
|
||||||
|
applyDefaults
|
||||||
|
];
|
||||||
|
in mkSourceType tset) {
|
||||||
|
|
||||||
|
fromSource = {
|
||||||
|
isSource = true;
|
||||||
|
};
|
||||||
|
|
||||||
|
binaryNativeCode = {};
|
||||||
|
|
||||||
|
binaryBytecode = {};
|
||||||
|
|
||||||
|
binaryFirmware = {};
|
||||||
|
}
|
|
@ -20,6 +20,9 @@ let
|
||||||
allowUnfree = config.allowUnfree
|
allowUnfree = config.allowUnfree
|
||||||
|| builtins.getEnv "NIXPKGS_ALLOW_UNFREE" == "1";
|
|| builtins.getEnv "NIXPKGS_ALLOW_UNFREE" == "1";
|
||||||
|
|
||||||
|
allowNonSource = config.allowNonSource or true
|
||||||
|
|| builtins.getEnv "NIXPKGS_ALLOW_NONSOURCE" == "1";
|
||||||
|
|
||||||
allowlist = config.allowlistedLicenses or config.whitelistedLicenses or [];
|
allowlist = config.allowlistedLicenses or config.whitelistedLicenses or [];
|
||||||
blocklist = config.blocklistedLicenses or config.blacklistedLicenses or [];
|
blocklist = config.blocklistedLicenses or config.blacklistedLicenses or [];
|
||||||
|
|
||||||
|
@ -86,12 +89,41 @@ let
|
||||||
allowInsecurePredicate attrs ||
|
allowInsecurePredicate attrs ||
|
||||||
builtins.getEnv "NIXPKGS_ALLOW_INSECURE" == "1";
|
builtins.getEnv "NIXPKGS_ALLOW_INSECURE" == "1";
|
||||||
|
|
||||||
showLicense = license: toString (map (l: l.shortName or "unknown") (lib.lists.toList license));
|
hasSourceProvenance = attrs:
|
||||||
|
attrs ? meta.sourceProvenance;
|
||||||
|
|
||||||
|
isNonSource = sourceTypes: lib.lists.any (t: !t.isSource or true) sourceTypes;
|
||||||
|
|
||||||
|
hasNonSourceProvenance = attrs:
|
||||||
|
hasSourceProvenance attrs &&
|
||||||
|
isNonSource (lib.lists.toList attrs.meta.sourceProvenance);
|
||||||
|
|
||||||
|
# Allow granular checks to allow only some non-source-built packages
|
||||||
|
# Example:
|
||||||
|
# {pkgs, ...}:
|
||||||
|
# {
|
||||||
|
# allowNonSource = false;
|
||||||
|
# allowNonSourcePredicate = (x: pkgs.lib.hasPrefix "pulumi" x.name);
|
||||||
|
# }
|
||||||
|
allowNonSourcePredicate = config.allowNonSourcePredicate or (x: false);
|
||||||
|
|
||||||
|
# Check whether non-source packages are allowed and if not, whether the
|
||||||
|
# package has non-source provenance and is not explicitly allowed by the
|
||||||
|
# `allowNonSourcePredicate` function.
|
||||||
|
hasDeniedNonSourceProvenance = attrs:
|
||||||
|
hasNonSourceProvenance attrs &&
|
||||||
|
!allowNonSource &&
|
||||||
|
!allowNonSourcePredicate attrs;
|
||||||
|
|
||||||
|
showLicenseOrSourceType = value: toString (map (v: v.shortName or "unknown") (lib.lists.toList value));
|
||||||
|
showLicense = showLicenseOrSourceType;
|
||||||
|
showSourceType = showLicenseOrSourceType;
|
||||||
|
|
||||||
pos_str = meta: meta.position or "«unknown-file»";
|
pos_str = meta: meta.position or "«unknown-file»";
|
||||||
|
|
||||||
remediation = {
|
remediation = {
|
||||||
unfree = remediate_allowlist "Unfree" remediate_unfree_predicate;
|
unfree = remediate_allowlist "Unfree" (remediate_predicate "allowUnfreePredicate");
|
||||||
|
non-source = remediate_allowlist "NonSource" (remediate_predicate "allowNonSourcePredicate");
|
||||||
broken = remediate_allowlist "Broken" (x: "");
|
broken = remediate_allowlist "Broken" (x: "");
|
||||||
unsupported = remediate_allowlist "UnsupportedSystem" (x: "");
|
unsupported = remediate_allowlist "UnsupportedSystem" (x: "");
|
||||||
blocklisted = x: "";
|
blocklisted = x: "";
|
||||||
|
@ -104,17 +136,19 @@ let
|
||||||
Unfree = "NIXPKGS_ALLOW_UNFREE";
|
Unfree = "NIXPKGS_ALLOW_UNFREE";
|
||||||
Broken = "NIXPKGS_ALLOW_BROKEN";
|
Broken = "NIXPKGS_ALLOW_BROKEN";
|
||||||
UnsupportedSystem = "NIXPKGS_ALLOW_UNSUPPORTED_SYSTEM";
|
UnsupportedSystem = "NIXPKGS_ALLOW_UNSUPPORTED_SYSTEM";
|
||||||
|
NonSource = "NIXPKGS_ALLOW_NONSOURCE";
|
||||||
}.${allow_attr};
|
}.${allow_attr};
|
||||||
remediation_phrase = allow_attr: {
|
remediation_phrase = allow_attr: {
|
||||||
Unfree = "unfree packages";
|
Unfree = "unfree packages";
|
||||||
Broken = "broken packages";
|
Broken = "broken packages";
|
||||||
UnsupportedSystem = "packages that are unsupported for this system";
|
UnsupportedSystem = "packages that are unsupported for this system";
|
||||||
|
NonSource = "packages not built from source";
|
||||||
}.${allow_attr};
|
}.${allow_attr};
|
||||||
remediate_unfree_predicate = attrs:
|
remediate_predicate = predicateConfigAttr: attrs:
|
||||||
''
|
''
|
||||||
|
|
||||||
Alternatively you can configure a predicate to allow specific packages:
|
Alternatively you can configure a predicate to allow specific packages:
|
||||||
{ nixpkgs.config.allowUnfreePredicate = pkg: builtins.elem (lib.getName pkg) [
|
{ nixpkgs.config.${predicateConfigAttr} = pkg: builtins.elem (lib.getName pkg) [
|
||||||
"${lib.getName attrs}"
|
"${lib.getName attrs}"
|
||||||
];
|
];
|
||||||
}
|
}
|
||||||
|
@ -226,6 +260,7 @@ let
|
||||||
downloadPage = str;
|
downloadPage = str;
|
||||||
changelog = either (listOf str) str;
|
changelog = either (listOf str) str;
|
||||||
license = either (listOf lib.types.attrs) (either lib.types.attrs str);
|
license = either (listOf lib.types.attrs) (either lib.types.attrs str);
|
||||||
|
sourceProvenance = either (listOf lib.types.attrs) (either lib.types.attrs str);
|
||||||
maintainers = listOf (attrsOf str);
|
maintainers = listOf (attrsOf str);
|
||||||
priority = int;
|
priority = int;
|
||||||
platforms = listOf str;
|
platforms = listOf str;
|
||||||
|
@ -288,6 +323,7 @@ let
|
||||||
checkValidity = attrs:
|
checkValidity = attrs:
|
||||||
{
|
{
|
||||||
unfree = hasUnfreeLicense attrs;
|
unfree = hasUnfreeLicense attrs;
|
||||||
|
nonSource = hasNonSourceProvenance attrs;
|
||||||
broken = isMarkedBroken attrs;
|
broken = isMarkedBroken attrs;
|
||||||
unsupported = hasUnsupportedPlatform attrs;
|
unsupported = hasUnsupportedPlatform attrs;
|
||||||
insecure = isMarkedInsecure attrs;
|
insecure = isMarkedInsecure attrs;
|
||||||
|
@ -296,6 +332,8 @@ let
|
||||||
{ valid = "no"; reason = "unfree"; errormsg = "has an unfree license (‘${showLicense attrs.meta.license}’)"; }
|
{ valid = "no"; reason = "unfree"; errormsg = "has an unfree license (‘${showLicense attrs.meta.license}’)"; }
|
||||||
else if hasBlocklistedLicense attrs then
|
else if hasBlocklistedLicense attrs then
|
||||||
{ valid = "no"; reason = "blocklisted"; errormsg = "has a blocklisted license (‘${showLicense attrs.meta.license}’)"; }
|
{ valid = "no"; reason = "blocklisted"; errormsg = "has a blocklisted license (‘${showLicense attrs.meta.license}’)"; }
|
||||||
|
else if hasDeniedNonSourceProvenance attrs then
|
||||||
|
{ valid = "no"; reason = "non-source"; errormsg = "contains elements not built from source (‘${showSourceType attrs.meta.sourceProvenance}’)"; }
|
||||||
else if !allowBroken && attrs.meta.broken or false then
|
else if !allowBroken && attrs.meta.broken or false then
|
||||||
{ valid = "no"; reason = "broken"; errormsg = "is marked as broken"; }
|
{ valid = "no"; reason = "broken"; errormsg = "is marked as broken"; }
|
||||||
else if !allowUnsupportedSystem && hasUnsupportedPlatform attrs then
|
else if !allowUnsupportedSystem && hasUnsupportedPlatform attrs then
|
||||||
|
|
Loading…
Reference in a new issue