stdenv/check-meta: change to allowlist and blocklist (#114127)
* stdenv/check-meta: change to allowlist and blocklist * Update pkgs/stdenv/generic/check-meta.nix Co-authored-by: Graham Christensen <graham@grahamc.com>
This commit is contained in:
WORLDofPEACE
GitHub
parent
be63b72210
commit
4b10920ed1
|
|
@ -151,26 +151,26 @@
|
||||||
</listitem>
|
</listitem>
|
||||||
<listitem>
|
<listitem>
|
||||||
<para>
|
<para>
|
||||||
It is also possible to whitelist and blacklist licenses that are specifically acceptable or not acceptable, using <literal>whitelistedLicenses</literal> and <literal>blacklistedLicenses</literal>, respectively.
|
It is also possible to allow and block licenses that are specifically acceptable or not acceptable, using <literal>allowlistedLicenses</literal> and <literal>blocklistedLicenses</literal>, respectively.
|
||||||
</para>
|
</para>
|
||||||
<para>
|
<para>
|
||||||
The following example configuration whitelists the licenses <literal>amd</literal> and <literal>wtfpl</literal>:
|
The following example configuration allowlists the licenses <literal>amd</literal> and <literal>wtfpl</literal>:
|
||||||
<programlisting>
|
<programlisting>
|
||||||
{
|
{
|
||||||
whitelistedLicenses = with lib.licenses; [ amd wtfpl ];
|
allowlistedLicenses = with lib.licenses; [ amd wtfpl ];
|
||||||
}
|
}
|
||||||
</programlisting>
|
</programlisting>
|
||||||
</para>
|
</para>
|
||||||
<para>
|
<para>
|
||||||
The following example configuration blacklists the <literal>gpl3Only</literal> and <literal>agpl3Only</literal> licenses:
|
The following example configuration blocklists the <literal>gpl3Only</literal> and <literal>agpl3Only</literal> licenses:
|
||||||
<programlisting>
|
<programlisting>
|
||||||
{
|
{
|
||||||
blacklistedLicenses = with lib.licenses; [ agpl3Only gpl3Only ];
|
blocklistedLicenses = with lib.licenses; [ agpl3Only gpl3Only ];
|
||||||
}
|
}
|
||||||
</programlisting>
|
</programlisting>
|
||||||
</para>
|
</para>
|
||||||
<para>
|
<para>
|
||||||
Note that <literal>whitelistedLicenses</literal> only applies to unfree licenses unless <literal>allowUnfree</literal> is enabled. It is not a generic whitelist for all types of licenses. <literal>blacklistedLicenses</literal> applies to all licenses.
|
Note that <literal>allowlistedLicenses</literal> only applies to unfree licenses unless <literal>allowUnfree</literal> is enabled. It is not a generic allowlist for all types of licenses. <literal>blocklistedLicenses</literal> applies to all licenses.
|
||||||
</para>
|
</para>
|
||||||
</listitem>
|
</listitem>
|
||||||
</itemizedlist>
|
</itemizedlist>
|
||||||
|
|
|
||||||
|
|
@ -16,8 +16,8 @@ let
|
||||||
allowUnfree = config.allowUnfree or false
|
allowUnfree = config.allowUnfree or false
|
||||||
|| builtins.getEnv "NIXPKGS_ALLOW_UNFREE" == "1";
|
|| builtins.getEnv "NIXPKGS_ALLOW_UNFREE" == "1";
|
||||||
|
|
||||||
whitelist = config.whitelistedLicenses or [];
|
allowlist = config.allowlistedLicenses or config.whitelistedLicenses or [];
|
||||||
blacklist = config.blacklistedLicenses or [];
|
blocklist = config.blocklistedLicenses or config.blacklistedLicenses or [];
|
||||||
|
|
||||||
onlyLicenses = list:
|
onlyLicenses = list:
|
||||||
lib.lists.all (license:
|
lib.lists.all (license:
|
||||||
|
|
@ -27,19 +27,19 @@ let
|
||||||
) list;
|
) list;
|
||||||
|
|
||||||
areLicenseListsValid =
|
areLicenseListsValid =
|
||||||
if lib.mutuallyExclusive whitelist blacklist then
|
if lib.mutuallyExclusive allowlist blocklist then
|
||||||
assert onlyLicenses whitelist; assert onlyLicenses blacklist; true
|
assert onlyLicenses allowlist; assert onlyLicenses blocklist; true
|
||||||
else
|
else
|
||||||
throw "whitelistedLicenses and blacklistedLicenses are not mutually exclusive.";
|
throw "allowlistedLicenses and blocklistedLicenses are not mutually exclusive.";
|
||||||
|
|
||||||
hasLicense = attrs:
|
hasLicense = attrs:
|
||||||
attrs ? meta.license;
|
attrs ? meta.license;
|
||||||
|
|
||||||
hasWhitelistedLicense = assert areLicenseListsValid; attrs:
|
hasAllowlistedLicense = assert areLicenseListsValid; attrs:
|
||||||
hasLicense attrs && lib.lists.any (l: builtins.elem l whitelist) (lib.lists.toList attrs.meta.license);
|
hasLicense attrs && lib.lists.any (l: builtins.elem l allowlist) (lib.lists.toList attrs.meta.license);
|
||||||
|
|
||||||
hasBlacklistedLicense = assert areLicenseListsValid; attrs:
|
hasBlocklistedLicense = assert areLicenseListsValid; attrs:
|
||||||
hasLicense attrs && lib.lists.any (l: builtins.elem l blacklist) (lib.lists.toList attrs.meta.license);
|
hasLicense attrs && lib.lists.any (l: builtins.elem l blocklist) (lib.lists.toList attrs.meta.license);
|
||||||
|
|
||||||
allowBroken = config.allowBroken or false
|
allowBroken = config.allowBroken or false
|
||||||
|| builtins.getEnv "NIXPKGS_ALLOW_BROKEN" == "1";
|
|| builtins.getEnv "NIXPKGS_ALLOW_BROKEN" == "1";
|
||||||
|
|
@ -91,10 +91,10 @@ let
|
||||||
pos_str = meta: meta.position or "«unknown-file»";
|
pos_str = meta: meta.position or "«unknown-file»";
|
||||||
|
|
||||||
remediation = {
|
remediation = {
|
||||||
unfree = remediate_whitelist "Unfree" remediate_unfree_predicate;
|
unfree = remediate_allowlist "Unfree" remediate_unfree_predicate;
|
||||||
broken = remediate_whitelist "Broken" (x: "");
|
broken = remediate_allowlist "Broken" (x: "");
|
||||||
unsupported = remediate_whitelist "UnsupportedSystem" (x: "");
|
unsupported = remediate_allowlist "UnsupportedSystem" (x: "");
|
||||||
blacklisted = x: "";
|
blocklisted = x: "";
|
||||||
insecure = remediate_insecure;
|
insecure = remediate_insecure;
|
||||||
broken-outputs = remediateOutputsToInstall;
|
broken-outputs = remediateOutputsToInstall;
|
||||||
unknown-meta = x: "";
|
unknown-meta = x: "";
|
||||||
|
|
@ -112,14 +112,14 @@ let
|
||||||
remediate_unfree_predicate = attrs:
|
remediate_unfree_predicate = attrs:
|
||||||
''
|
''
|
||||||
|
|
||||||
Alternatively you can configure a predicate to whitelist specific packages:
|
Alternatively you can configure a predicate to allow specific packages:
|
||||||
{ nixpkgs.config.allowUnfreePredicate = pkg: builtins.elem (lib.getName pkg) [
|
{ nixpkgs.config.allowUnfreePredicate = pkg: builtins.elem (lib.getName pkg) [
|
||||||
"${lib.getName attrs}"
|
"${lib.getName attrs}"
|
||||||
];
|
];
|
||||||
}
|
}
|
||||||
'';
|
'';
|
||||||
|
|
||||||
remediate_whitelist = allow_attr: rebuild_amendment: attrs:
|
remediate_allowlist = allow_attr: rebuild_amendment: attrs:
|
||||||
''
|
''
|
||||||
a) To temporarily allow ${remediation_phrase allow_attr}, you can use an environment variable
|
a) To temporarily allow ${remediation_phrase allow_attr}, you can use an environment variable
|
||||||
for a single invocation of the nix tools.
|
for a single invocation of the nix tools.
|
||||||
|
|
@ -141,7 +141,7 @@ let
|
||||||
Known issues:
|
Known issues:
|
||||||
'' + (lib.concatStrings (map (issue: " - ${issue}\n") attrs.meta.knownVulnerabilities)) + ''
|
'' + (lib.concatStrings (map (issue: " - ${issue}\n") attrs.meta.knownVulnerabilities)) + ''
|
||||||
|
|
||||||
You can install it anyway by whitelisting this package, using the
|
You can install it anyway by allowing this package, using the
|
||||||
following methods:
|
following methods:
|
||||||
|
|
||||||
a) To temporarily allow all insecure packages, you can use an environment
|
a) To temporarily allow all insecure packages, you can use an environment
|
||||||
|
|
@ -268,7 +268,7 @@ let
|
||||||
#
|
#
|
||||||
# Return { valid: Bool } and additionally
|
# Return { valid: Bool } and additionally
|
||||||
# { reason: String; errormsg: String } if it is not valid, where
|
# { reason: String; errormsg: String } if it is not valid, where
|
||||||
# reason is one of "unfree", "blacklisted", "broken", "insecure", ...
|
# reason is one of "unfree", "blocklisted", "broken", "insecure", ...
|
||||||
# Along with a boolean flag for each reason
|
# Along with a boolean flag for each reason
|
||||||
checkValidity = attrs:
|
checkValidity = attrs:
|
||||||
{
|
{
|
||||||
|
|
@ -277,10 +277,10 @@ let
|
||||||
unsupported = hasUnsupportedPlatform attrs;
|
unsupported = hasUnsupportedPlatform attrs;
|
||||||
insecure = isMarkedInsecure attrs;
|
insecure = isMarkedInsecure attrs;
|
||||||
}
|
}
|
||||||
// (if hasDeniedUnfreeLicense attrs && !(hasWhitelistedLicense attrs) then
|
// (if hasDeniedUnfreeLicense attrs && !(hasAllowlistedLicense attrs) then
|
||||||
{ valid = false; reason = "unfree"; errormsg = "has an unfree license (‘${showLicense attrs.meta.license}’)"; }
|
{ valid = false; reason = "unfree"; errormsg = "has an unfree license (‘${showLicense attrs.meta.license}’)"; }
|
||||||
else if hasBlacklistedLicense attrs then
|
else if hasBlocklistedLicense attrs then
|
||||||
{ valid = false; reason = "blacklisted"; errormsg = "has a blacklisted license (‘${showLicense attrs.meta.license}’)"; }
|
{ valid = false; reason = "blocklisted"; errormsg = "has a blocklisted license (‘${showLicense attrs.meta.license}’)"; }
|
||||||
else if !allowBroken && attrs.meta.broken or false then
|
else if !allowBroken && attrs.meta.broken or false then
|
||||||
{ valid = false; reason = "broken"; errormsg = "is marked as broken"; }
|
{ valid = false; reason = "broken"; errormsg = "is marked as broken"; }
|
||||||
else if !allowUnsupportedSystem && hasUnsupportedPlatform attrs then
|
else if !allowUnsupportedSystem && hasUnsupportedPlatform attrs then
|
||||||
|
|
|
||||||
Loading…
Reference in New Issue