Nix Cookbook: Difference between revisions
imported>Equirosa m update automatic nix store optimization setting to current option from the deprecated one |
imported>Robinp Added notes about recursively checking licence stance of deps. |
||
| Line 252: | Line 252: | ||
which will override the other value, and force yours to have priority. | which will override the other value, and force yours to have priority. | ||
== Auditing == | |||
=== License stance === | |||
Example on how to check if a given list of packages (as returned by the ''pkgs.nix'' derivation) conforms to permitted licenses criteria: | |||
<syntaxHighlight lang="nix"> | |||
with rec { | |||
# Incomplete list, customize to your policies. | |||
permissiveLicense = v: v.license == "bsd3" || v.license == "mit" || v.license == "bsd2" || v.license == "publicDomain" || v.license == "asl20" || v.license == "zlib" || v.license == "bsdOriginal" || v.license == "openssl"; | |||
# Omit some false-positive buildInputs like bash and perl.. those should be nativeBuildInputs rather? | |||
saneDep = d: d ? meta.license | |||
&& builtins.substring 0 5 d.name != "bash-" | |||
&& builtins.substring 0 5 d.name != "perl-"; | |||
# Keep if the license is not allowed, or if has any (transitive) dep with a license that is not allowed. | |||
keepBadDeps = ds: builtins.filter (n: !(permissiveLicense n) || n.baddeps != []) (map derivToNode (builtins.filter saneDep ds)); | |||
derivToNode = d: | |||
{ license = if builtins.typeOf d.meta.license == "string" | |||
then d.meta.license | |||
else if builtins.typeOf d.meta.license == "list" # can happen sometimes, could concat.. but have a look rather | |||
then "MULTI" | |||
else d.meta.license.shortName; | |||
name = d.name; | |||
baddeps = keepBadDeps (builtins.filter saneDep d.buildInputs); | |||
}; | |||
}; | |||
let ps = import ./pkgs.nix; # pkgs.nix should result in a list of derivations to check | |||
in keepBadDeps ps | |||
</syntaxHighlight> | |||
Then exercise it in '''nix repl''', using :p to force the result so we can actually see it: | |||
<syntaxHighlight lang="nix"> | |||
nix-repl> xs = import ./lic.nix | |||
nix-repl> :p xs | |||
</syntaxHighlight> | |||
This will print a (somewhat unreadable) nested tree of derivation names and their licences, where (at least) at the roots there are not-allowed licenses. | |||
Be sure to manually check them for being false positives - navigate to the derivation in the nixpkgs repo and eyeball the license info (it is updated every now and then), also cross-check with the original source to make sure. | |||
=== Vulnerabilities === | |||
See Vulnix. | |||