diff options
author | Alyssa Ross <hi@alyssa.is> | 2024-05-03 15:14:25 +0200 |
---|---|---|
committer | Alyssa Ross <hi@alyssa.is> | 2024-05-07 11:19:19 +0200 |
commit | d92b2b6a1bbd322dd65a8b6f51019610d350046e (patch) | |
tree | 7f7c21927b9cc05676501f297c51eb76b49e326c /nixpkgs/pkgs/stdenv/generic | |
parent | 93c9e56b40530cc627d921cfc255c05b495d4017 (diff) | |
parent | 49050352f602fe87d16ff7b2b6a05b79eb20dc6f (diff) | |
download | nixlib-d92b2b6a1bbd322dd65a8b6f51019610d350046e.tar nixlib-d92b2b6a1bbd322dd65a8b6f51019610d350046e.tar.gz nixlib-d92b2b6a1bbd322dd65a8b6f51019610d350046e.tar.bz2 nixlib-d92b2b6a1bbd322dd65a8b6f51019610d350046e.tar.lz nixlib-d92b2b6a1bbd322dd65a8b6f51019610d350046e.tar.xz nixlib-d92b2b6a1bbd322dd65a8b6f51019610d350046e.tar.zst nixlib-d92b2b6a1bbd322dd65a8b6f51019610d350046e.zip |
Merge remote-tracking branch 'nixpkgs/nixos-unstable-small'
Conflicts: nixpkgs/nixos/modules/services/mail/mailman.nix nixpkgs/nixos/modules/services/mail/public-inbox.nix nixpkgs/pkgs/build-support/go/module.nix
Diffstat (limited to 'nixpkgs/pkgs/stdenv/generic')
-rw-r--r-- | nixpkgs/pkgs/stdenv/generic/check-meta.nix | 71 | ||||
-rw-r--r-- | nixpkgs/pkgs/stdenv/generic/make-derivation.nix | 8 | ||||
-rw-r--r-- | nixpkgs/pkgs/stdenv/generic/setup.sh | 7 |
3 files changed, 55 insertions, 31 deletions
diff --git a/nixpkgs/pkgs/stdenv/generic/check-meta.nix b/nixpkgs/pkgs/stdenv/generic/check-meta.nix index 63c853e3dc31..a61f3e1ae4d0 100644 --- a/nixpkgs/pkgs/stdenv/generic/check-meta.nix +++ b/nixpkgs/pkgs/stdenv/generic/check-meta.nix @@ -29,6 +29,14 @@ let toList isList elem + ; + + inherit (lib.meta) + availableOn + ; + + inherit (lib.generators) + toPretty ; # If we're in hydra, we can dispense with the more verbose error @@ -84,7 +92,7 @@ let # was `licenses: lib.lists.any (l: !l.free or true) licenses;` # which always evaluates to `!true` for strings. else if isString licenses then false - else lib.lists.any (l: !l.free or true) licenses; + else any (l: !l.free or true) licenses; hasUnfreeLicense = attrs: hasLicense attrs && isUnfree attrs.meta.license; @@ -94,7 +102,7 @@ let isMarkedBroken = attrs: attrs.meta.broken or false; hasUnsupportedPlatform = - pkg: !(lib.meta.availableOn hostPlatform pkg); + pkg: !(availableOn hostPlatform pkg); isMarkedInsecure = attrs: (attrs.meta.knownVulnerabilities or []) != []; @@ -181,7 +189,7 @@ let Alternatively you can configure a predicate to allow specific packages: { nixpkgs.config.${predicateConfigAttr} = pkg: builtins.elem (lib.getName pkg) [ - "${getName attrs}" + "${lib.getName attrs}" ]; } ''; @@ -360,7 +368,7 @@ let [ ] else [ "key 'meta.${k}' has invalid value; expected ${metaTypes.${k}.name}, got\n ${ - lib.generators.toPretty { indent = " "; } v + toPretty { indent = " "; } v }" ] else [ "key 'meta.${k}' is unrecognized; expected one of: \n [${concatMapStringsSep ", " (x: "'${x}'") (attrNames metaTypes)}]" ]; @@ -382,22 +390,24 @@ let # reason is one of "unfree", "blocklisted", "broken", "insecure", ... # !!! reason strings are hardcoded into OfBorg, make sure to keep them in sync # Along with a boolean flag for each reason - checkValidity = attrs: + checkValidity = + let + validYes = { + valid = "yes"; + handled = true; + }; + in + attrs: # Check meta attribute types first, to make sure it is always called even when there are other issues # Note that this is not a full type check and functions below still need to by careful about their inputs! - let res = checkMeta (attrs.meta or {}); in if res != [] then - { valid = "no"; reason = "unknown-meta"; errormsg = "has an invalid meta attrset:${concatMapStrings (x: "\n - " + x) res}\n"; - unfree = false; nonSource = false; broken = false; unsupported = false; insecure = false; - } - else { - unfree = hasUnfreeLicense attrs; - nonSource = hasNonSourceProvenance attrs; - broken = isMarkedBroken attrs; - unsupported = hasUnsupportedPlatform attrs; - insecure = isMarkedInsecure attrs; - } // ( + let + res = checkMeta (attrs.meta or {}); + in + if res != [] then + { valid = "no"; reason = "unknown-meta"; errormsg = "has an invalid meta attrset:${concatMapStrings (x: "\n - " + x) res}\n"; } + # --- Put checks that cannot be ignored here --- - if checkOutputsToInstall attrs then + else if checkOutputsToInstall attrs then { valid = "no"; reason = "broken-outputs"; errormsg = "has invalid meta.outputsToInstall"; } # --- Put checks that can be ignored here --- @@ -410,7 +420,7 @@ let else if !allowBroken && attrs.meta.broken or false then { valid = "no"; reason = "broken"; errormsg = "is marked as broken"; } else if !allowUnsupportedSystem && hasUnsupportedPlatform attrs then - let toPretty = lib.generators.toPretty { + let toPretty' = toPretty { allowPrettyValues = true; indent = " "; }; @@ -418,8 +428,8 @@ let errormsg = '' is not available on the requested hostPlatform: hostPlatform.config = "${hostPlatform.config}" - package.meta.platforms = ${toPretty (attrs.meta.platforms or [])} - package.meta.badPlatforms = ${toPretty (attrs.meta.badPlatforms or [])} + package.meta.platforms = ${toPretty' (attrs.meta.platforms or [])} + package.meta.badPlatforms = ${toPretty' (attrs.meta.badPlatforms or [])} ''; } else if !(hasAllowedInsecure attrs) then @@ -430,7 +440,7 @@ let else if hasNoMaintainers attrs then { valid = "warn"; reason = "maintainerless"; errormsg = "has no maintainers"; } # ----- - else { valid = "yes"; }); + else validYes; # The meta attribute is passed in the resulting attribute set, @@ -443,6 +453,7 @@ let commonMeta = { validity, attrs, pos ? null, references ? [ ] }: let outputs = attrs.outputs or [ "out" ]; + hasOutput = out: builtins.elem out outputs; in { # `name` derivation attribute includes cross-compilation cruft, @@ -461,10 +472,13 @@ let # Services and users should specify outputs explicitly, # unless they are comfortable with this default. outputsToInstall = - let - hasOutput = out: builtins.elem out outputs; - in - [ (findFirst hasOutput null ([ "bin" "out" ] ++ outputs)) ] + [ + ( + if hasOutput "bin" then "bin" + else if hasOutput "out" then "out" + else findFirst hasOutput null outputs + ) + ] ++ optional (hasOutput "man") "man"; } // attrs.meta or { } @@ -473,7 +487,10 @@ let position = pos.file + ":" + toString pos.line; } // { # Expose the result of the checks for everyone to see. - inherit (validity) unfree broken unsupported insecure; + unfree = hasUnfreeLicense attrs; + broken = isMarkedBroken attrs; + unsupported = hasUnsupportedPlatform attrs; + insecure = isMarkedInsecure attrs; available = validity.valid != "no" && (if config.checkMetaRecursively or false @@ -484,7 +501,7 @@ let assertValidity = { meta, attrs }: let validity = checkValidity attrs; inherit (validity) valid; - in validity // { + in if validity ? handled then validity else validity // { # Throw an error if trying to evaluate a non-valid derivation # or, alternatively, just output a warning message. handled = diff --git a/nixpkgs/pkgs/stdenv/generic/make-derivation.nix b/nixpkgs/pkgs/stdenv/generic/make-derivation.nix index 08cded664254..1214d0101383 100644 --- a/nixpkgs/pkgs/stdenv/generic/make-derivation.nix +++ b/nixpkgs/pkgs/stdenv/generic/make-derivation.nix @@ -574,6 +574,12 @@ let "The βenvβ attribute set can only contain derivation, string, boolean or integer attributes. The β${n}β attribute is of type ${builtins.typeOf v}."; v) env; + # Fixed-output derivations may not reference other paths, which means that + # for a fixed-output derivation, the corresponding inputDerivation should + # *not* be fixed-output. To achieve this we simply delete the attributes that + # would make it fixed-output. + deleteFixedOutputRelatedAttrs = lib.flip builtins.removeAttrs [ "outputHashAlgo" "outputHash" "outputHashMode" ]; + in extendDerivation @@ -584,7 +590,7 @@ extendDerivation # This allows easy building and distributing of all derivations # needed to enter a nix-shell with # nix-build shell.nix -A inputDerivation - inputDerivation = derivation (derivationArg // { + inputDerivation = derivation (deleteFixedOutputRelatedAttrs derivationArg // { # Add a name in case the original drv didn't have one name = derivationArg.name or "inputDerivation"; # This always only has one output diff --git a/nixpkgs/pkgs/stdenv/generic/setup.sh b/nixpkgs/pkgs/stdenv/generic/setup.sh index 9c918b12f96e..45c73d7709c6 100644 --- a/nixpkgs/pkgs/stdenv/generic/setup.sh +++ b/nixpkgs/pkgs/stdenv/generic/setup.sh @@ -1069,12 +1069,12 @@ _defaultUnpack() { # disregard the error code from the xz invocation. Otherwise, # it can happen that tar exits earlier, causing xz to fail # from a SIGPIPE. - (XZ_OPT="--threads=$NIX_BUILD_CORES" xz -d < "$fn"; true) | tar xf - --warning=no-timestamp + (XZ_OPT="--threads=$NIX_BUILD_CORES" xz -d < "$fn"; true) | tar xf - --mode=+w --warning=no-timestamp ;; *.tar | *.tar.* | *.tgz | *.tbz2 | *.tbz) # GNU tar can automatically select the decompression method # (info "(tar) gzip"). - tar xf "$fn" --warning=no-timestamp + tar xf "$fn" --mode=+w --warning=no-timestamp ;; *) return 1 @@ -1421,7 +1421,8 @@ fixupPhase() { # Make sure everything is writable so "strip" et al. work. local output for output in $(getAllOutputNames); do - if [ -e "${!output}" ]; then chmod -R u+w "${!output}"; fi + # for set*id bits see #300635 + if [ -e "${!output}" ]; then chmod -R u+w,u-s,g-s "${!output}"; fi done runHook preFixup |