Merge commit '1a57d96edd156958b12782e8c8b6a374142a7248'

author: Alyssa Ross <hi@alyssa.is> 2021-01-15 10:30:44 +0000
committer: Alyssa Ross <hi@alyssa.is> 2021-01-15 10:30:44 +0000
commit: e0794be8a0d11e90461e5a9c85012a36b93ec976 (patch)
tree: efd9cbc55ea3322867bf601c4d536758a3dd5fcc /nixpkgs/pkgs/stdenv/generic
parent: 3538874082ded7647b1ccec0343c7c1e882cfef3 (diff)
parent: 1a57d96edd156958b12782e8c8b6a374142a7248 (diff)
download: nixlib-e0794be8a0d11e90461e5a9c85012a36b93ec976.tar
nixlib-e0794be8a0d11e90461e5a9c85012a36b93ec976.tar.gz
nixlib-e0794be8a0d11e90461e5a9c85012a36b93ec976.tar.bz2
nixlib-e0794be8a0d11e90461e5a9c85012a36b93ec976.tar.lz
nixlib-e0794be8a0d11e90461e5a9c85012a36b93ec976.tar.xz
nixlib-e0794be8a0d11e90461e5a9c85012a36b93ec976.tar.zst
nixlib-e0794be8a0d11e90461e5a9c85012a36b93ec976.zip
4 files changed, 78 insertions, 22 deletions
diff --git a/nixpkgs/pkgs/stdenv/generic/check-meta.nix b/nixpkgs/pkgs/stdenv/generic/check-meta.nix
index c06f17b6fc19..160ca5d4e068 100644
--- a/nixpkgs/pkgs/stdenv/generic/check-meta.nix
+++ b/nixpkgs/pkgs/stdenv/generic/check-meta.nix
@@ -49,6 +49,18 @@ let
 
   isUnfree = licenses: lib.lists.any (l: !l.free or true) licenses;
 
+  hasUnfreeLicense = attrs:
+    hasLicense attrs &&
+    isUnfree (lib.lists.toList attrs.meta.license);
+
+  isMarkedBroken = attrs: attrs.meta.broken or false;
+
+  hasUnsupportedPlatform = attrs:
+    (!lib.lists.elem hostPlatform.system (attrs.meta.platforms or lib.platforms.all) ||
+      lib.lists.elem hostPlatform.system (attrs.meta.badPlatforms or []));
+
+  isMarkedInsecure = attrs: (attrs.meta.knownVulnerabilities or []) != [];
+
   # Alow granular checks to allow only some unfree packages
   # Example:
   # {pkgs, ...}:
@@ -62,16 +74,15 @@ let
   # package has an unfree license and is not explicitely allowed by the
   # `allowUnfreePredicate` function.
   hasDeniedUnfreeLicense = attrs:
+    hasUnfreeLicense attrs &&
     !allowUnfree &&
-    hasLicense attrs &&
-    isUnfree (lib.lists.toList attrs.meta.license) &&
     !allowUnfreePredicate attrs;
 
   allowInsecureDefaultPredicate = x: builtins.elem (getName x) (config.permittedInsecurePackages or []);
   allowInsecurePredicate = x: (config.allowInsecurePredicate or allowInsecureDefaultPredicate) x;
 
   hasAllowedInsecure = attrs:
-    (attrs.meta.knownVulnerabilities or []) == [] ||
+    !(isMarkedInsecure attrs) ||
     allowInsecurePredicate attrs ||
     builtins.getEnv "NIXPKGS_ALLOW_INSECURE" == "1";
 
@@ -80,21 +91,46 @@ let
   pos_str = meta: meta.position or "«unknown-file»";
 
   remediation = {
-    unfree = remediate_whitelist "Unfree";
-    broken = remediate_whitelist "Broken";
-    unsupported = remediate_whitelist "UnsupportedSystem";
+    unfree = remediate_whitelist "Unfree" remediate_unfree_predicate;
+    broken = remediate_whitelist "Broken" (x: "");
+    unsupported = remediate_whitelist "UnsupportedSystem" (x: "");
     blacklisted = x: "";
     insecure = remediate_insecure;
     broken-outputs = remediateOutputsToInstall;
     unknown-meta = x: "";
   };
-  remediate_whitelist = allow_attr: attrs:
+  remediation_env_var = allow_attr: {
+    Unfree = "NIXPKGS_ALLOW_UNFREE";
+    Broken = "NIXPKGS_ALLOW_BROKEN";
+    UnsupportedSystem = "NIXPKGS_ALLOW_UNSUPPORTED_SYSTEM";
+  }.${allow_attr};
+  remediation_phrase = allow_attr: {
+    Unfree = "unfree packages";
+    Broken = "broken packages";
+    UnsupportedSystem = "packages that are unsupported for this system";
+  }.${allow_attr};
+  remediate_unfree_predicate = attrs:
     ''
-      a) For `nixos-rebuild` you can set
+
+      Alternatively you can configure a predicate to whitelist specific packages:
+        { nixpkgs.config.allowUnfreePredicate = pkg: builtins.elem (lib.getName pkg) [
+            "${lib.getName attrs}"
+          ];
+        }
+    '';
+
+  remediate_whitelist = allow_attr: rebuild_amendment: attrs:
+    ''
+      a) To temporarily allow ${remediation_phrase allow_attr}, you can use an environment variable
+         for a single invocation of the nix tools.
+
+           $ export ${remediation_env_var allow_attr}=1
+
+      b) For `nixos-rebuild` you can set
         { nixpkgs.config.allow${allow_attr} = true; }
       in configuration.nix to override this.
-
-      b) For `nix-env`, `nix-build`, `nix-shell` or any other Nix command you can add
+      ${rebuild_amendment attrs}
+      c) For `nix-env`, `nix-build`, `nix-shell` or any other Nix command you can add
         { allow${allow_attr} = true; }
       to ~/.config/nixpkgs/config.nix.
     '';
@@ -178,6 +214,9 @@ let
     platforms = listOf str;
     hydraPlatforms = listOf str;
     broken = bool;
+    unfree = bool;
+    unsupported = bool;
+    insecure = bool;
     # TODO: refactor once something like Profpatsch's types-simple will land
     # This is currently dead code due to https://github.com/NixOS/nix/issues/2532
     tests = attrsOf (mkOptionType {
@@ -229,17 +268,22 @@ let
   #
   # Return { valid: Bool } and additionally
   # { reason: String; errormsg: String } if it is not valid, where
-  # reason is one of "unfree", "blacklisted" or "broken".
+  # reason is one of "unfree", "blacklisted", "broken", "insecure", ...
+  # Along with a boolean flag for each reason
   checkValidity = attrs:
-    if hasDeniedUnfreeLicense attrs && !(hasWhitelistedLicense attrs) then
+    {
+      unfree = hasUnfreeLicense attrs;
+      broken = isMarkedBroken attrs;
+      unsupported = hasUnsupportedPlatform attrs;
+      insecure = isMarkedInsecure attrs;
+    }
+    // (if hasDeniedUnfreeLicense attrs && !(hasWhitelistedLicense attrs) then
       { valid = false; reason = "unfree"; errormsg = "has an unfree license (‘${showLicense attrs.meta.license}’)"; }
     else if hasBlacklistedLicense attrs then
       { valid = false; reason = "blacklisted"; errormsg = "has a blacklisted license (‘${showLicense attrs.meta.license}’)"; }
     else if !allowBroken && attrs.meta.broken or false then
       { valid = false; reason = "broken"; errormsg = "is marked as broken"; }
-    else if !allowUnsupportedSystem &&
-            (!lib.lists.elem hostPlatform.system (attrs.meta.platforms or lib.platforms.all) ||
-              lib.lists.elem hostPlatform.system (attrs.meta.badPlatforms or [])) then
+    else if !allowUnsupportedSystem && hasUnsupportedPlatform attrs then
       { valid = false; reason = "unsupported"; errormsg = "is not supported on ‘${hostPlatform.system}’"; }
     else if !(hasAllowedInsecure attrs) then
       { valid = false; reason = "insecure"; errormsg = "is marked as insecure"; }
@@ -247,14 +291,14 @@ let
       { valid = false; reason = "broken-outputs"; errormsg = "has invalid meta.outputsToInstall"; }
     else let res = checkMeta (attrs.meta or {}); in if res != [] then
       { valid = false; reason = "unknown-meta"; errormsg = "has an invalid meta attrset:${lib.concatMapStrings (x: "\n\t - " + x) res}"; }
-    else { valid = true; };
+    else { valid = true; });
 
   assertValidity = { meta, attrs }: let
       validity = checkValidity attrs;
     in validity // {
       # Throw an error if trying to evaluate an non-valid derivation
       handled = if !validity.valid
-        then handleEvalIssue { inherit meta attrs; } (removeAttrs validity ["valid"])
+        then handleEvalIssue { inherit meta attrs; } { inherit (validity) reason errormsg; }
         else true;
   };
 
diff --git a/nixpkgs/pkgs/stdenv/generic/default.nix b/nixpkgs/pkgs/stdenv/generic/default.nix
index b57989786904..c7c3bb9f3f3f 100644
--- a/nixpkgs/pkgs/stdenv/generic/default.nix
+++ b/nixpkgs/pkgs/stdenv/generic/default.nix
@@ -61,12 +61,16 @@ let
     ]
       # FIXME this on Darwin; see
       # https://github.com/NixOS/nixpkgs/commit/94d164dd7#commitcomment-22030369
-    ++ lib.optional hostPlatform.isLinux ../../build-support/setup-hooks/audit-tmpdir.sh
+    ++ lib.optionals hostPlatform.isLinux [
+      ../../build-support/setup-hooks/audit-tmpdir.sh
+      ../../build-support/setup-hooks/move-systemd-user-units.sh
+    ]
     ++ [
       ../../build-support/setup-hooks/multiple-outputs.sh
       ../../build-support/setup-hooks/move-sbin.sh
       ../../build-support/setup-hooks/move-lib64.sh
       ../../build-support/setup-hooks/set-source-date-epoch-to-latest.sh
+      ../../build-support/setup-hooks/reproducible-builds.sh
       # TODO use lib.optional instead
       (if hasCC then cc else null)
     ];
diff --git a/nixpkgs/pkgs/stdenv/generic/make-derivation.nix b/nixpkgs/pkgs/stdenv/generic/make-derivation.nix
index 491951e6121f..0eb799e45258 100644
--- a/nixpkgs/pkgs/stdenv/generic/make-derivation.nix
+++ b/nixpkgs/pkgs/stdenv/generic/make-derivation.nix
@@ -328,8 +328,9 @@ in rec {
         # Fill `meta.position` to identify the source location of the package.
         // lib.optionalAttrs (pos != null) {
           position = pos.file + ":" + toString pos.line;
-        # Expose the result of the checks for everyone to see.
         } // {
+          # Expose the result of the checks for everyone to see.
+          inherit (validity) unfree broken unsupported insecure;
           available = validity.valid
                    && (if config.checkMetaRecursively or false
                        then lib.all (d: d.meta.available or true) references
diff --git a/nixpkgs/pkgs/stdenv/generic/setup.sh b/nixpkgs/pkgs/stdenv/generic/setup.sh
index d19ed342aab0..4ff0a6caf760 100644
--- a/nixpkgs/pkgs/stdenv/generic/setup.sh
+++ b/nixpkgs/pkgs/stdenv/generic/setup.sh
@@ -483,10 +483,14 @@ activatePackage() {
     # the transition, we do include everything in thatcase.
     #
     # TODO(@Ericson2314): Don't special-case native compilation
-    if [[ ( -z "${strictDeps-}" ||  "$hostOffset" -le -1 ) && -d "$pkg/bin" ]]; then
+    if [[ -z "${strictDeps-}" || "$hostOffset" -le -1 ]]; then
         addToSearchPath _PATH "$pkg/bin"
     fi
 
+    if [[ "$hostOffset" -le -1 ]]; then
+        addToSearchPath _XDG_DATA_DIRS "$pkg/share"
+    fi
+
     if [[ "$hostOffset" -eq 0 && -d "$pkg/bin" ]]; then
         addToSearchPath _HOST_PATH "$pkg/bin"
     fi
@@ -602,13 +606,16 @@ fi
 
 PATH="${_PATH-}${_PATH:+${PATH:+:}}$PATH"
 HOST_PATH="${_HOST_PATH-}${_HOST_PATH:+${HOST_PATH:+:}}$HOST_PATH"
+export XDG_DATA_DIRS="${_XDG_DATA_DIRS-}${_XDG_DATA_DIRS:+${XDG_DATA_DIRS:+:}}${XDG_DATA_DIRS-}"
 if (( "${NIX_DEBUG:-0}" >= 1 )); then
     echo "final path: $PATH"
     echo "final host path: $HOST_PATH"
+    echo "final data dirs: $XDG_DATA_DIRS"
 fi
 
 unset _PATH
 unset _HOST_PATH
+unset _XDG_DATA_DIRS
 
 
 # Make GNU Make produce nested output.
@@ -1037,7 +1044,7 @@ checkPhase() {
     runHook preCheck
 
     if [[ -z "${foundMakefile:-}" ]]; then
-        echo "no Makefile or custom buildPhase, doing nothing"
+        echo "no Makefile or custom checkPhase, doing nothing"
         runHook postCheck
         return
     fi
@@ -1182,7 +1189,7 @@ installCheckPhase() {
     runHook preInstallCheck
 
     if [[ -z "${foundMakefile:-}" ]]; then
-        echo "no Makefile or custom buildPhase, doing nothing"
+        echo "no Makefile or custom installCheckPhase, doing nothing"
     #TODO(@oxij): should flagsArray influence make -n?
     elif [[ -z "${installCheckTarget:-}" ]] \
        && ! make -n ${makefile:+-f $makefile} ${installCheckTarget:-installcheck} >/dev/null 2>&1; then
author	Alyssa Ross <hi@alyssa.is>	2021-01-15 10:30:44 +0000
committer	Alyssa Ross <hi@alyssa.is>	2021-01-15 10:30:44 +0000
commit	e0794be8a0d11e90461e5a9c85012a36b93ec976 (patch)
tree	efd9cbc55ea3322867bf601c4d536758a3dd5fcc /nixpkgs/pkgs/stdenv/generic
parent	3538874082ded7647b1ccec0343c7c1e882cfef3 (diff)
parent	1a57d96edd156958b12782e8c8b6a374142a7248 (diff)
download	nixlib-e0794be8a0d11e90461e5a9c85012a36b93ec976.tar nixlib-e0794be8a0d11e90461e5a9c85012a36b93ec976.tar.gz nixlib-e0794be8a0d11e90461e5a9c85012a36b93ec976.tar.bz2 nixlib-e0794be8a0d11e90461e5a9c85012a36b93ec976.tar.lz nixlib-e0794be8a0d11e90461e5a9c85012a36b93ec976.tar.xz nixlib-e0794be8a0d11e90461e5a9c85012a36b93ec976.tar.zst nixlib-e0794be8a0d11e90461e5a9c85012a36b93ec976.zip