-
-
Notifications
You must be signed in to change notification settings - Fork 160
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[RFC 0089] Collect non-source package meta attribute #89
Conversation
d9e0b03
to
90f214d
Compare
|
||
Add a mechanism to allow `.nixpkgs/config.nix` to specify | ||
`allowNonSource = false` to prevent use of these packages in a similar manner | ||
to `allowUnfree`. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
There should also be allowNonSourcePredicate
.
# Detailed design | ||
[design]: #detailed-design | ||
|
||
Add a new `meta` attribute to non-source-built packages, `fromSource = false`. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This doesn't seem flexible enough:
- Along the lines of the
unfreeRedistributableFirmware
license, there should be a way to label binary packages used in bootstrapping as such. Most users who don't want binary packages will be okay with their use in bootstrapping. - Binary fonts (mentioned below) or graphics might also be acceptable.
Do you think allowNonSourcePredicate
is enough for the latter?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Well, this hints slightly towards making it non-boolean, but if so, what should the options be? I think I considered finer classifications but saw it as something this could evolve into if/once we come to understand the problem better.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
A list of "types"? Because a package might contain different types!
{
meta.sourceProvenance = with lib.sourceTypes; [
sourceCode
sourceFirmware
];
}
For an hypothetical driver with a code part, and a binary firmware part.
{
meta.sourceProvenance = with lib.sourceTypes; [
sourcePrebuiltFont
];
}
For a pre-built font.
(The naming here is clunky, I hope if gets the point across.)
EDIT: as a bonus, collecting what provenances a closure uses is a matter of adding all the lists together, and then getting the unique elements. And it is closer to the mechanisms used for licenses.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I think a list of types is usually too complex. Hence I suggest usually not using them, even though some packages might require them.
We sometimes have lists of licenses, though without clear semantics. For this attribute, a list should be interpreted as being built from all of those types combined.
I would call the attribute meta.builtFrom
.
A normal xyz-bin
package would, even if parts of it are built from source, have
meta.builtFrom = lib.builtFrom.binary
A binary font could have
meta.builtFrom = lib.builtFrom.binaryAsset
And a bootstrapping package would have
meta.builtFrom = lib.builtFrom.binaryBootstrap
The default would be
meta.builtFrom = lib.builtFrom.source
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
While I agree that they are more complex, I don't think it's an issue.
Otherwise we're pushing the complexity into pre-declaring all possible combinations as part of the library representing the different types.
We need granularity here. Otherwise we'll have issues deciding which descriptor to use, and end up using the wrong generic "it's a binary", which will make filtering against or for a specific descriptor needlessly harder.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
We can do something "weird" and have lib.builtFrom.source = ["source"]
so that you can easily do one or ++
two together. Or maybe better is lib.buildFrom.source = {source = true;}
and then you can //
them together but it is a bit easier for a predicate to filter the ones that you are okay with (and removes the irrelevant ordering).
Also I think instead of builtFrom
it probably makes sense to call it nonSourceComponents
and list the types of things that were not built from source where "types" could be things like code
, assets
, docs
and similar.
I see this is somewhat against the "Why not isBinary?" below but I think it kinda agrees. nonSourceComponents = {}
is the "purest" form and well understood. Then you just have to document the deviations.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I really like samueldr's idea here. Another benefit of it would be that I'd be able to say "I don't want proprietary software on my computer, but it's okay if data files are CC-BY-ND" or something.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
It's nice, my worry is just what we'd actually end up with given humans being humans, most people probably not that invested in understanding a complex tagging scheme well enough to perfectly represent the situation for a particular package.
This concern probably comes from my background in openstreetmap and the long, heated discussions that take place on the "tagging" mailing list debating a scheme that can perfectly represent most every situation, yet which ends up bearing little relation to what people actually map with in reality, because it's too complex and verbose.
I certainly think it's important to make the common cases have very concise representations, and also allow both coarse and fine granularity. If only fine granularities are allowed, it will deter most people from bothering to add an annotation at all. Coarse data is better than nothing and can always be refined.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I tend to agree with @risicle and @dotlambda here, in that I think we should at least start with a rougher schema, and wait until we've seen if we actually need a more refined one. I resonate with the risk @risicle sees, otherwise.
@dotlambda's proposal matches what I would do:
- If a package has both binary and source it will be marked as binary (i.e. we prefer a rougher schema, and err on the side of overapplying the "binary" label)
- it special cases bootstrap binaries and fonts
- Adds an
allowNonSourcePredicate
I think this would be a great first step, and it would address the 2 points raised in the RFC:
- supply chain attacks
- patching
Other concerns, like wanting to only run free software + special casing some data files based on their license, I would leave out of this RFC, and potentially address in a follow-up one.
Will this also concerned vendored code ? If the option of using a list for the provenance of source information, might it be relevant to include information if the source have vendored code (I here mean code that isn't created by the author of the source file, and that is unmodified, so that may be compiled in another unit, like for example rust package, with the VendorSha256 entry). It might be relevant to indicate this, as it mean overriding the library in nixpkgs may not update other package that vendor the library. |
I think vendored code is beyond what I'd consider scope creep for this proposal. |
This RFC is open for shepherd nominations now btw! |
Nominate myself. |
This pull request has been mentioned on NixOS Discourse. There might be relevant details there: |
We still need more nomination for this RFC to proceed. |
This pull request has been mentioned on NixOS Discourse. There might be relevant details there: https://discourse.nixos.org/t/rfcs-looking-for-shepherds/14203/1 |
I’d like to be a shepherd on this one. |
I nominate myself |
We decided on the shepherd team: @asymmetric, @aforemny and @alyssais |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thanks @risicle for the work you're putting into this. the RFC reads great!
Just to clarify, apart from getting this RFC through the finish line, are you still willing to go through (parts of) nixpkgs and mark non-exclusively-source packages as such?
I don't think this is a requirement, by the way - just wondering what practical outcomes we can expect to come out of this RFC. Even just arriving at consensus on the new attribute would be great.
Add a new `meta` attribute to non-source-built packages, `sourceProvenance`. | ||
The value of this attribute being a list of at least one entriy from a | ||
collection of possibilities maintained in `lib.sourceTypes`. These possibilities | ||
can be of opaque type, but should have entries to represent at least "built from |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
What does opaque type mean in this context?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I think I meant "you shouldn't expect any specific behaviour from it other than being able to check for equality". At time of writing I think I was leaving open the possibility of having values which were able to understand their own hierarchy to some degree, though the more I think of it, it would probably be better to embed all notions of hierarchy in the allowNonSourcePredicate
function to allow customization there too.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I would then rather change this to remove the reference to opaqueness, since it's rather.. opaque like this.
Do you agree?
Co-authored-by: asymmetric <lorenzo@mailbox.org>
Co-authored-by: asymmetric <lorenzo@mailbox.org>
Yes, I'm willing to do a non-comprehensive pass of nixpkgs looking for the low-hanging fruit and more obvious cases. |
@asymmetric with the updated rfc text, do you think it's time for a new meeting? |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I think that, apart from the nit I mentioned in this review, this is good to go.
@risicle can you make a quick edit addressing this point? I think after that, we can move ahead.
Add a new `meta` attribute to non-source-built packages, `sourceProvenance`. | ||
The value of this attribute being a list of at least one entriy from a | ||
collection of possibilities maintained in `lib.sourceTypes`. These possibilities | ||
can be of opaque type, but should have entries to represent at least "built from |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I would then rather change this to remove the reference to opaqueness, since it's rather.. opaque like this.
Do you agree?
Also, sorry for the delay everyone, life took over. |
Done. |
I propose this RFC move to FCP, with intention to merge. |
I second that! :-) |
I agree, let's go to FCP! |
@NixOS/rfc-steering-committee all shepherds have signaled their intention to move to FCP. |
This pull request has been mentioned on NixOS Discourse. There might be relevant details there: https://discourse.nixos.org/t/rfc-0089-fcp-collect-non-source-package-meta-attribute/17350/1 |
An initial implementation: NixOS/nixpkgs#161098 |
This pull request has been mentioned on NixOS Discourse. There might be relevant details there: https://discourse.nixos.org/t/packages-marked-as-broken-should-come-with-an-explanation/19187/26 |
Co-authored-by: asymmetric <lorenzo@mailbox.org>
Don't know if there's a way of reserving a number - I just picked0088
as it looked like the latest.Edit: oh - is it the PR number?Fixed.See https://github.com/risicle/rfcs/blob/ris-from-source/rfcs/0089-collect-non-source-package-meta.md