stdenv/check-meta: change to allowlist and blocklist (#114127)
* stdenv/check-meta: change to allowlist and blocklist * Update pkgs/stdenv/generic/check-meta.nix Co-authored-by: Graham Christensen <graham@grahamc.com>
This commit is contained in:
WORLDofPEACE
GitHub
parent
be63b72210
commit
4b10920ed1
|
|
@ -151,26 +151,26 @@
|
|||
</listitem>
|
||||
<listitem>
|
||||
<para>
|
||||
It is also possible to whitelist and blacklist licenses that are specifically acceptable or not acceptable, using <literal>whitelistedLicenses</literal> and <literal>blacklistedLicenses</literal>, respectively.
|
||||
It is also possible to allow and block licenses that are specifically acceptable or not acceptable, using <literal>allowlistedLicenses</literal> and <literal>blocklistedLicenses</literal>, respectively.
|
||||
</para>
|
||||
<para>
|
||||
The following example configuration whitelists the licenses <literal>amd</literal> and <literal>wtfpl</literal>:
|
||||
The following example configuration allowlists the licenses <literal>amd</literal> and <literal>wtfpl</literal>:
|
||||
<programlisting>
|
||||
{
|
||||
whitelistedLicenses = with lib.licenses; [ amd wtfpl ];
|
||||
allowlistedLicenses = with lib.licenses; [ amd wtfpl ];
|
||||
}
|
||||
</programlisting>
|
||||
</para>
|
||||
<para>
|
||||
The following example configuration blacklists the <literal>gpl3Only</literal> and <literal>agpl3Only</literal> licenses:
|
||||
The following example configuration blocklists the <literal>gpl3Only</literal> and <literal>agpl3Only</literal> licenses:
|
||||
<programlisting>
|
||||
{
|
||||
blacklistedLicenses = with lib.licenses; [ agpl3Only gpl3Only ];
|
||||
blocklistedLicenses = with lib.licenses; [ agpl3Only gpl3Only ];
|
||||
}
|
||||
</programlisting>
|
||||
</para>
|
||||
<para>
|
||||
Note that <literal>whitelistedLicenses</literal> only applies to unfree licenses unless <literal>allowUnfree</literal> is enabled. It is not a generic whitelist for all types of licenses. <literal>blacklistedLicenses</literal> applies to all licenses.
|
||||
Note that <literal>allowlistedLicenses</literal> only applies to unfree licenses unless <literal>allowUnfree</literal> is enabled. It is not a generic allowlist for all types of licenses. <literal>blocklistedLicenses</literal> applies to all licenses.
|
||||
</para>
|
||||
</listitem>
|
||||
</itemizedlist>
|
||||
|
|
|
|||
|
|
@ -16,8 +16,8 @@ let
|
|||
allowUnfree = config.allowUnfree or false
|
||||
|| builtins.getEnv "NIXPKGS_ALLOW_UNFREE" == "1";
|
||||
|
||||
whitelist = config.whitelistedLicenses or [];
|
||||
blacklist = config.blacklistedLicenses or [];
|
||||
allowlist = config.allowlistedLicenses or config.whitelistedLicenses or [];
|
||||
blocklist = config.blocklistedLicenses or config.blacklistedLicenses or [];
|
||||
|
||||
onlyLicenses = list:
|
||||
lib.lists.all (license:
|
||||
|
|
@ -27,19 +27,19 @@ let
|
|||
) list;
|
||||
|
||||
areLicenseListsValid =
|
||||
if lib.mutuallyExclusive whitelist blacklist then
|
||||
assert onlyLicenses whitelist; assert onlyLicenses blacklist; true
|
||||
if lib.mutuallyExclusive allowlist blocklist then
|
||||
assert onlyLicenses allowlist; assert onlyLicenses blocklist; true
|
||||
else
|
||||
throw "whitelistedLicenses and blacklistedLicenses are not mutually exclusive.";
|
||||
throw "allowlistedLicenses and blocklistedLicenses are not mutually exclusive.";
|
||||
|
||||
hasLicense = attrs:
|
||||
attrs ? meta.license;
|
||||
|
||||
hasWhitelistedLicense = assert areLicenseListsValid; attrs:
|
||||
hasLicense attrs && lib.lists.any (l: builtins.elem l whitelist) (lib.lists.toList attrs.meta.license);
|
||||
hasAllowlistedLicense = assert areLicenseListsValid; attrs:
|
||||
hasLicense attrs && lib.lists.any (l: builtins.elem l allowlist) (lib.lists.toList attrs.meta.license);
|
||||
|
||||
hasBlacklistedLicense = assert areLicenseListsValid; attrs:
|
||||
hasLicense attrs && lib.lists.any (l: builtins.elem l blacklist) (lib.lists.toList attrs.meta.license);
|
||||
hasBlocklistedLicense = assert areLicenseListsValid; attrs:
|
||||
hasLicense attrs && lib.lists.any (l: builtins.elem l blocklist) (lib.lists.toList attrs.meta.license);
|
||||
|
||||
allowBroken = config.allowBroken or false
|
||||
|| builtins.getEnv "NIXPKGS_ALLOW_BROKEN" == "1";
|
||||
|
|
@ -91,10 +91,10 @@ let
|
|||
pos_str = meta: meta.position or "«unknown-file»";
|
||||
|
||||
remediation = {
|
||||
unfree = remediate_whitelist "Unfree" remediate_unfree_predicate;
|
||||
broken = remediate_whitelist "Broken" (x: "");
|
||||
unsupported = remediate_whitelist "UnsupportedSystem" (x: "");
|
||||
blacklisted = x: "";
|
||||
unfree = remediate_allowlist "Unfree" remediate_unfree_predicate;
|
||||
broken = remediate_allowlist "Broken" (x: "");
|
||||
unsupported = remediate_allowlist "UnsupportedSystem" (x: "");
|
||||
blocklisted = x: "";
|
||||
insecure = remediate_insecure;
|
||||
broken-outputs = remediateOutputsToInstall;
|
||||
unknown-meta = x: "";
|
||||
|
|
@ -112,14 +112,14 @@ let
|
|||
remediate_unfree_predicate = attrs:
|
||||
''
|
||||
|
||||
Alternatively you can configure a predicate to whitelist specific packages:
|
||||
Alternatively you can configure a predicate to allow specific packages:
|
||||
{ nixpkgs.config.allowUnfreePredicate = pkg: builtins.elem (lib.getName pkg) [
|
||||
"${lib.getName attrs}"
|
||||
];
|
||||
}
|
||||
'';
|
||||
|
||||
remediate_whitelist = allow_attr: rebuild_amendment: attrs:
|
||||
remediate_allowlist = allow_attr: rebuild_amendment: attrs:
|
||||
''
|
||||
a) To temporarily allow ${remediation_phrase allow_attr}, you can use an environment variable
|
||||
for a single invocation of the nix tools.
|
||||
|
|
@ -141,7 +141,7 @@ let
|
|||
Known issues:
|
||||
'' + (lib.concatStrings (map (issue: " - ${issue}\n") attrs.meta.knownVulnerabilities)) + ''
|
||||
|
||||
You can install it anyway by whitelisting this package, using the
|
||||
You can install it anyway by allowing this package, using the
|
||||
following methods:
|
||||
|
||||
a) To temporarily allow all insecure packages, you can use an environment
|
||||
|
|
@ -268,7 +268,7 @@ let
|
|||
#
|
||||
# Return { valid: Bool } and additionally
|
||||
# { reason: String; errormsg: String } if it is not valid, where
|
||||
# reason is one of "unfree", "blacklisted", "broken", "insecure", ...
|
||||
# reason is one of "unfree", "blocklisted", "broken", "insecure", ...
|
||||
# Along with a boolean flag for each reason
|
||||
checkValidity = attrs:
|
||||
{
|
||||
|
|
@ -277,10 +277,10 @@ let
|
|||
unsupported = hasUnsupportedPlatform attrs;
|
||||
insecure = isMarkedInsecure attrs;
|
||||
}
|
||||
// (if hasDeniedUnfreeLicense attrs && !(hasWhitelistedLicense attrs) then
|
||||
// (if hasDeniedUnfreeLicense attrs && !(hasAllowlistedLicense attrs) then
|
||||
{ valid = false; reason = "unfree"; errormsg = "has an unfree license (‘${showLicense attrs.meta.license}’)"; }
|
||||
else if hasBlacklistedLicense attrs then
|
||||
{ valid = false; reason = "blacklisted"; errormsg = "has a blacklisted license (‘${showLicense attrs.meta.license}’)"; }
|
||||
else if hasBlocklistedLicense attrs then
|
||||
{ valid = false; reason = "blocklisted"; errormsg = "has a blocklisted license (‘${showLicense attrs.meta.license}’)"; }
|
||||
else if !allowBroken && attrs.meta.broken or false then
|
||||
{ valid = false; reason = "broken"; errormsg = "is marked as broken"; }
|
||||
else if !allowUnsupportedSystem && hasUnsupportedPlatform attrs then
|
||||
|
|
|
|||
Loading…
Reference in New Issue