From b0c89af34ac6b408bd5ef7d6e6b44bdf64967d92 Mon Sep 17 00:00:00 2001 From: Adam Joseph Date: Mon, 30 May 2022 10:16:54 -0700 Subject: [PATCH 1/2] lib/source-types.nix: remove redundant sourceType The provenance type `fromSource` is redundant, and adds numerous special edge cases. Let's remove it. I pointed this out during the review of #161098; @risicle asked that I submit this as a seperate subsequent PR in order to not further delay the merge of #161098. Therefore, I am submitting it now. The `fromSource` provenance type is redundant; the following are semantically indistinguishable: ``` meta = { sourceProvenance = []; } meta = { sourceProvenance = [ lib.source-types.fromSource ]; } ``` Furthermore, `fromSource` gets special treatment: "a package with no `meta.sourceProvenance` set implies it has no *known* `sourceType`s **other than `fromSource`.**". This greatly complicates the "is this package built from source" routine. Consider the exemplar `allowNonSourcePredicate` to permit non-source firmware given in check-meta.nix. This predicate is likely to be a very popular policy choice for nixpkgs users, due to the level of firmware-saturation in consumer-grade hardware. It changes from: ``` allowNonSourcePredicate = with lib.lists; pkg: !(any (p: !p.isSource && p!=lib.sourceTypes.binaryFirmware) (toList pkg.meta.sourceProvenance) ``` to ``` allowNonSourcePredicate = lib.lists.any (p: p!=lib.sourceTypes.binaryFirmware) (toList pkg.meta.sourceProvenance); ``` and, if #175495 merges, even further to: ``` allowNonSourcePredicate = lib.lists.any (p: p!=lib.sourceTypes.binaryFirmware) pkg.meta.sourceProvenance; ``` Similar simplifications will be enjoyed by any predicates which users write for themselves, or any "provenance functionals" which express the `sourceProvenance` of one package as a function of the `sourceProvenance` of some subpackage. --- doc/stdenv/meta.chapter.md | 6 +----- lib/source-types.nix | 5 ----- pkgs/stdenv/generic/check-meta.nix | 5 ++--- 3 files changed, 3 insertions(+), 13 deletions(-) diff --git a/doc/stdenv/meta.chapter.md b/doc/stdenv/meta.chapter.md index 475006b1259b6..639ff572bd035 100644 --- a/doc/stdenv/meta.chapter.md +++ b/doc/stdenv/meta.chapter.md @@ -258,14 +258,10 @@ If a package contains elements that are not built from the original source by a Adding this information helps users who have needs related to build transparency and supply-chain security to gain some visibility into their installed software or set policy to allow or disallow installation based on source provenance. -The presence of a particular `sourceType` in a package's `meta.sourceProvenance` list indicates that the package contains some components falling into that category, though the *absence* of that `sourceType` does not *guarantee* the absence of that category of `sourceType` in the package's contents. A package with no `meta.sourceProvenance` set implies it has no *known* `sourceType`s other than `fromSource`. +The presence of a particular `sourceType` in a package's `meta.sourceProvenance` list indicates that the package contains some components falling into that category, though the *absence* of that `sourceType` does not *guarantee* the absence of that category of `sourceType` in the package's contents. A package with no `meta.sourceProvenance` set implies it has no *known* components with any of the `sourceTypes` below. The meaning of the `meta.sourceProvenance` attribute does not depend on the value of the `meta.license` attribute. -### `lib.sourceTypes.fromSource` {#lib.sourceTypes.fromSource} - -Package elements which are produced by a nixpkgs derivation which builds them from source code. - ### `lib.sourceTypes.binaryNativeCode` {#lib.sourceTypes.binaryNativeCode} Native code to be executed on the target system's CPU, built by a third party. This includes packages which wrap a downloaded AppImage or Debian package. diff --git a/lib/source-types.nix b/lib/source-types.nix index c4f263dcf4643..c119fc9cbb829 100644 --- a/lib/source-types.nix +++ b/lib/source-types.nix @@ -3,14 +3,9 @@ let defaultSourceType = tname: { shortName = tname; - isSource = false; }; in lib.mapAttrs (tname: tset: defaultSourceType tname // tset) { - fromSource = { - isSource = true; - }; - binaryNativeCode = {}; binaryBytecode = {}; diff --git a/pkgs/stdenv/generic/check-meta.nix b/pkgs/stdenv/generic/check-meta.nix index 4e5db210637a6..66e2d54e12ca3 100644 --- a/pkgs/stdenv/generic/check-meta.nix +++ b/pkgs/stdenv/generic/check-meta.nix @@ -89,8 +89,7 @@ let allowInsecurePredicate attrs || builtins.getEnv "NIXPKGS_ALLOW_INSECURE" == "1"; - - isNonSource = sourceTypes: lib.lists.any (t: !t.isSource) sourceTypes; + isNonSource = sourceTypes: sourceTypes != []; hasNonSourceProvenance = attrs: (attrs ? meta.sourceProvenance) && @@ -101,7 +100,7 @@ let # {pkgs, ...}: # { # allowNonSource = false; - # allowNonSourcePredicate = with lib.lists; pkg: !(any (p: !p.isSource && p!=lib.sourceTypes.binaryFirmware) (toList pkg.meta.sourceProvenance)); + # allowNonSourcePredicate = lib.lists.any (p: p!=lib.sourceTypes.binaryFirmware) (toList pkg.meta.sourceProvenance); # } allowNonSourcePredicate = config.allowNonSourcePredicate or (x: false); From 49b5b40e5d5be52139eaf6320ea1d81b4715835f Mon Sep 17 00:00:00 2001 From: Adam Joseph Date: Mon, 30 May 2022 11:14:37 -0700 Subject: [PATCH 2/2] fix example --- pkgs/stdenv/generic/check-meta.nix | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/pkgs/stdenv/generic/check-meta.nix b/pkgs/stdenv/generic/check-meta.nix index 66e2d54e12ca3..747f8ac098c04 100644 --- a/pkgs/stdenv/generic/check-meta.nix +++ b/pkgs/stdenv/generic/check-meta.nix @@ -100,7 +100,7 @@ let # {pkgs, ...}: # { # allowNonSource = false; - # allowNonSourcePredicate = lib.lists.any (p: p!=lib.sourceTypes.binaryFirmware) (toList pkg.meta.sourceProvenance); + # allowNonSourcePredicate = with lib.lists; pkg: any (p: p!=lib.sourceTypes.binaryFirmware) (toList pkg.meta.sourceProvenance); # } allowNonSourcePredicate = config.allowNonSourcePredicate or (x: false);