diff options
author | Alyssa Ross <hi@alyssa.is> | 2021-01-15 10:30:44 +0000 |
---|---|---|
committer | Alyssa Ross <hi@alyssa.is> | 2021-01-15 10:30:44 +0000 |
commit | e0794be8a0d11e90461e5a9c85012a36b93ec976 (patch) | |
tree | efd9cbc55ea3322867bf601c4d536758a3dd5fcc /nixpkgs/pkgs/stdenv/generic | |
parent | 3538874082ded7647b1ccec0343c7c1e882cfef3 (diff) | |
parent | 1a57d96edd156958b12782e8c8b6a374142a7248 (diff) | |
download | nixlib-e0794be8a0d11e90461e5a9c85012a36b93ec976.tar nixlib-e0794be8a0d11e90461e5a9c85012a36b93ec976.tar.gz nixlib-e0794be8a0d11e90461e5a9c85012a36b93ec976.tar.bz2 nixlib-e0794be8a0d11e90461e5a9c85012a36b93ec976.tar.lz nixlib-e0794be8a0d11e90461e5a9c85012a36b93ec976.tar.xz nixlib-e0794be8a0d11e90461e5a9c85012a36b93ec976.tar.zst nixlib-e0794be8a0d11e90461e5a9c85012a36b93ec976.zip |
Merge commit '1a57d96edd156958b12782e8c8b6a374142a7248'
Diffstat (limited to 'nixpkgs/pkgs/stdenv/generic')
-rw-r--r-- | nixpkgs/pkgs/stdenv/generic/check-meta.nix | 78 | ||||
-rw-r--r-- | nixpkgs/pkgs/stdenv/generic/default.nix | 6 | ||||
-rw-r--r-- | nixpkgs/pkgs/stdenv/generic/make-derivation.nix | 3 | ||||
-rw-r--r-- | nixpkgs/pkgs/stdenv/generic/setup.sh | 13 |
4 files changed, 78 insertions, 22 deletions
diff --git a/nixpkgs/pkgs/stdenv/generic/check-meta.nix b/nixpkgs/pkgs/stdenv/generic/check-meta.nix index c06f17b6fc19..160ca5d4e068 100644 --- a/nixpkgs/pkgs/stdenv/generic/check-meta.nix +++ b/nixpkgs/pkgs/stdenv/generic/check-meta.nix @@ -49,6 +49,18 @@ let isUnfree = licenses: lib.lists.any (l: !l.free or true) licenses; + hasUnfreeLicense = attrs: + hasLicense attrs && + isUnfree (lib.lists.toList attrs.meta.license); + + isMarkedBroken = attrs: attrs.meta.broken or false; + + hasUnsupportedPlatform = attrs: + (!lib.lists.elem hostPlatform.system (attrs.meta.platforms or lib.platforms.all) || + lib.lists.elem hostPlatform.system (attrs.meta.badPlatforms or [])); + + isMarkedInsecure = attrs: (attrs.meta.knownVulnerabilities or []) != []; + # Alow granular checks to allow only some unfree packages # Example: # {pkgs, ...}: @@ -62,16 +74,15 @@ let # package has an unfree license and is not explicitely allowed by the # `allowUnfreePredicate` function. hasDeniedUnfreeLicense = attrs: + hasUnfreeLicense attrs && !allowUnfree && - hasLicense attrs && - isUnfree (lib.lists.toList attrs.meta.license) && !allowUnfreePredicate attrs; allowInsecureDefaultPredicate = x: builtins.elem (getName x) (config.permittedInsecurePackages or []); allowInsecurePredicate = x: (config.allowInsecurePredicate or allowInsecureDefaultPredicate) x; hasAllowedInsecure = attrs: - (attrs.meta.knownVulnerabilities or []) == [] || + !(isMarkedInsecure attrs) || allowInsecurePredicate attrs || builtins.getEnv "NIXPKGS_ALLOW_INSECURE" == "1"; @@ -80,21 +91,46 @@ let pos_str = meta: meta.position or "«unknown-file»"; remediation = { - unfree = remediate_whitelist "Unfree"; - broken = remediate_whitelist "Broken"; - unsupported = remediate_whitelist "UnsupportedSystem"; + unfree = remediate_whitelist "Unfree" remediate_unfree_predicate; + broken = remediate_whitelist "Broken" (x: ""); + unsupported = remediate_whitelist "UnsupportedSystem" (x: ""); blacklisted = x: ""; insecure = remediate_insecure; broken-outputs = remediateOutputsToInstall; unknown-meta = x: ""; }; - remediate_whitelist = allow_attr: attrs: + remediation_env_var = allow_attr: { + Unfree = "NIXPKGS_ALLOW_UNFREE"; + Broken = "NIXPKGS_ALLOW_BROKEN"; + UnsupportedSystem = "NIXPKGS_ALLOW_UNSUPPORTED_SYSTEM"; + }.${allow_attr}; + remediation_phrase = allow_attr: { + Unfree = "unfree packages"; + Broken = "broken packages"; + UnsupportedSystem = "packages that are unsupported for this system"; + }.${allow_attr}; + remediate_unfree_predicate = attrs: '' - a) For `nixos-rebuild` you can set + + Alternatively you can configure a predicate to whitelist specific packages: + { nixpkgs.config.allowUnfreePredicate = pkg: builtins.elem (lib.getName pkg) [ + "${lib.getName attrs}" + ]; + } + ''; + + remediate_whitelist = allow_attr: rebuild_amendment: attrs: + '' + a) To temporarily allow ${remediation_phrase allow_attr}, you can use an environment variable + for a single invocation of the nix tools. + + $ export ${remediation_env_var allow_attr}=1 + + b) For `nixos-rebuild` you can set { nixpkgs.config.allow${allow_attr} = true; } in configuration.nix to override this. - - b) For `nix-env`, `nix-build`, `nix-shell` or any other Nix command you can add + ${rebuild_amendment attrs} + c) For `nix-env`, `nix-build`, `nix-shell` or any other Nix command you can add { allow${allow_attr} = true; } to ~/.config/nixpkgs/config.nix. ''; @@ -178,6 +214,9 @@ let platforms = listOf str; hydraPlatforms = listOf str; broken = bool; + unfree = bool; + unsupported = bool; + insecure = bool; # TODO: refactor once something like Profpatsch's types-simple will land # This is currently dead code due to https://github.com/NixOS/nix/issues/2532 tests = attrsOf (mkOptionType { @@ -229,17 +268,22 @@ let # # Return { valid: Bool } and additionally # { reason: String; errormsg: String } if it is not valid, where - # reason is one of "unfree", "blacklisted" or "broken". + # reason is one of "unfree", "blacklisted", "broken", "insecure", ... + # Along with a boolean flag for each reason checkValidity = attrs: - if hasDeniedUnfreeLicense attrs && !(hasWhitelistedLicense attrs) then + { + unfree = hasUnfreeLicense attrs; + broken = isMarkedBroken attrs; + unsupported = hasUnsupportedPlatform attrs; + insecure = isMarkedInsecure attrs; + } + // (if hasDeniedUnfreeLicense attrs && !(hasWhitelistedLicense attrs) then { valid = false; reason = "unfree"; errormsg = "has an unfree license (‘${showLicense attrs.meta.license}’)"; } else if hasBlacklistedLicense attrs then { valid = false; reason = "blacklisted"; errormsg = "has a blacklisted license (‘${showLicense attrs.meta.license}’)"; } else if !allowBroken && attrs.meta.broken or false then { valid = false; reason = "broken"; errormsg = "is marked as broken"; } - else if !allowUnsupportedSystem && - (!lib.lists.elem hostPlatform.system (attrs.meta.platforms or lib.platforms.all) || - lib.lists.elem hostPlatform.system (attrs.meta.badPlatforms or [])) then + else if !allowUnsupportedSystem && hasUnsupportedPlatform attrs then { valid = false; reason = "unsupported"; errormsg = "is not supported on ‘${hostPlatform.system}’"; } else if !(hasAllowedInsecure attrs) then { valid = false; reason = "insecure"; errormsg = "is marked as insecure"; } @@ -247,14 +291,14 @@ let { valid = false; reason = "broken-outputs"; errormsg = "has invalid meta.outputsToInstall"; } else let res = checkMeta (attrs.meta or {}); in if res != [] then { valid = false; reason = "unknown-meta"; errormsg = "has an invalid meta attrset:${lib.concatMapStrings (x: "\n\t - " + x) res}"; } - else { valid = true; }; + else { valid = true; }); assertValidity = { meta, attrs }: let validity = checkValidity attrs; in validity // { # Throw an error if trying to evaluate an non-valid derivation handled = if !validity.valid - then handleEvalIssue { inherit meta attrs; } (removeAttrs validity ["valid"]) + then handleEvalIssue { inherit meta attrs; } { inherit (validity) reason errormsg; } else true; }; diff --git a/nixpkgs/pkgs/stdenv/generic/default.nix b/nixpkgs/pkgs/stdenv/generic/default.nix index b57989786904..c7c3bb9f3f3f 100644 --- a/nixpkgs/pkgs/stdenv/generic/default.nix +++ b/nixpkgs/pkgs/stdenv/generic/default.nix @@ -61,12 +61,16 @@ let ] # FIXME this on Darwin; see # https://github.com/NixOS/nixpkgs/commit/94d164dd7#commitcomment-22030369 - ++ lib.optional hostPlatform.isLinux ../../build-support/setup-hooks/audit-tmpdir.sh + ++ lib.optionals hostPlatform.isLinux [ + ../../build-support/setup-hooks/audit-tmpdir.sh + ../../build-support/setup-hooks/move-systemd-user-units.sh + ] ++ [ ../../build-support/setup-hooks/multiple-outputs.sh ../../build-support/setup-hooks/move-sbin.sh ../../build-support/setup-hooks/move-lib64.sh ../../build-support/setup-hooks/set-source-date-epoch-to-latest.sh + ../../build-support/setup-hooks/reproducible-builds.sh # TODO use lib.optional instead (if hasCC then cc else null) ]; diff --git a/nixpkgs/pkgs/stdenv/generic/make-derivation.nix b/nixpkgs/pkgs/stdenv/generic/make-derivation.nix index 491951e6121f..0eb799e45258 100644 --- a/nixpkgs/pkgs/stdenv/generic/make-derivation.nix +++ b/nixpkgs/pkgs/stdenv/generic/make-derivation.nix @@ -328,8 +328,9 @@ in rec { # Fill `meta.position` to identify the source location of the package. // lib.optionalAttrs (pos != null) { position = pos.file + ":" + toString pos.line; - # Expose the result of the checks for everyone to see. } // { + # Expose the result of the checks for everyone to see. + inherit (validity) unfree broken unsupported insecure; available = validity.valid && (if config.checkMetaRecursively or false then lib.all (d: d.meta.available or true) references diff --git a/nixpkgs/pkgs/stdenv/generic/setup.sh b/nixpkgs/pkgs/stdenv/generic/setup.sh index d19ed342aab0..4ff0a6caf760 100644 --- a/nixpkgs/pkgs/stdenv/generic/setup.sh +++ b/nixpkgs/pkgs/stdenv/generic/setup.sh @@ -483,10 +483,14 @@ activatePackage() { # the transition, we do include everything in thatcase. # # TODO(@Ericson2314): Don't special-case native compilation - if [[ ( -z "${strictDeps-}" || "$hostOffset" -le -1 ) && -d "$pkg/bin" ]]; then + if [[ -z "${strictDeps-}" || "$hostOffset" -le -1 ]]; then addToSearchPath _PATH "$pkg/bin" fi + if [[ "$hostOffset" -le -1 ]]; then + addToSearchPath _XDG_DATA_DIRS "$pkg/share" + fi + if [[ "$hostOffset" -eq 0 && -d "$pkg/bin" ]]; then addToSearchPath _HOST_PATH "$pkg/bin" fi @@ -602,13 +606,16 @@ fi PATH="${_PATH-}${_PATH:+${PATH:+:}}$PATH" HOST_PATH="${_HOST_PATH-}${_HOST_PATH:+${HOST_PATH:+:}}$HOST_PATH" +export XDG_DATA_DIRS="${_XDG_DATA_DIRS-}${_XDG_DATA_DIRS:+${XDG_DATA_DIRS:+:}}${XDG_DATA_DIRS-}" if (( "${NIX_DEBUG:-0}" >= 1 )); then echo "final path: $PATH" echo "final host path: $HOST_PATH" + echo "final data dirs: $XDG_DATA_DIRS" fi unset _PATH unset _HOST_PATH +unset _XDG_DATA_DIRS # Make GNU Make produce nested output. @@ -1037,7 +1044,7 @@ checkPhase() { runHook preCheck if [[ -z "${foundMakefile:-}" ]]; then - echo "no Makefile or custom buildPhase, doing nothing" + echo "no Makefile or custom checkPhase, doing nothing" runHook postCheck return fi @@ -1182,7 +1189,7 @@ installCheckPhase() { runHook preInstallCheck if [[ -z "${foundMakefile:-}" ]]; then - echo "no Makefile or custom buildPhase, doing nothing" + echo "no Makefile or custom installCheckPhase, doing nothing" #TODO(@oxij): should flagsArray influence make -n? elif [[ -z "${installCheckTarget:-}" ]] \ && ! make -n ${makefile:+-f $makefile} ${installCheckTarget:-installcheck} >/dev/null 2>&1; then |