pkgs/README.md at 24.11-pre · pyrox.dev/nixpkgs

pyrox.dev / nixpkgs
fork atom
lol
fork atom
nixpkgs / pkgs / README.md
at 24.11-pre 853 lines 38 kB view raw view rendered
wrap content
Peder Bergebakken Sundt pkgs/README.md: add `meta.mainProgram` to new-package checklist template 2y ago
51cd84ba
  1# Contributing to Nixpkgs packages
  2
  3This document is for people wanting to contribute specifically to the package collection in Nixpkgs.
  4See the [CONTRIBUTING.md](../CONTRIBUTING.md) document for more general information.
  5
  6## Overview
  7
  8- [`top-level`](./top-level): Entrypoints, package set aggregations
  9  - [`impure.nix`](./top-level/impure.nix), [`default.nix`](./top-level/default.nix), [`config.nix`](./top-level/config.nix): Definitions for the evaluation entry point of `import <nixpkgs>`
 10  - [`stage.nix`](./top-level/stage.nix), [`all-packages.nix`](./top-level/all-packages.nix), [`by-name-overlay.nix`](./top-level/by-name-overlay.nix), [`splice.nix`](./top-level/splice.nix): Definitions for the top-level attribute set made available through `import <nixpkgs> {…}`
 11  - `*-packages.nix`, [`linux-kernels.nix`](./top-level/linux-kernels.nix), [`unixtools.nix`](./top-level/unixtools.nix): Aggregations of nested package sets defined in `development`
 12  - [`aliases.nix`](./top-level/aliases.nix), [`python-aliases.nix`](./top-level/python-aliases.nix): Aliases for package definitions that have been renamed or removed
 13  - `release*.nix`, [`make-tarball.nix`](./top-level/make-tarball.nix), [`packages-config.nix`](./top-level/packages-config.nix), [`metrics.nix`](./top-level/metrics.nix), [`nixpkgs-basic-release-checks.nix`](./top-level/nixpkgs-basic-release-checks.nix): Entry-points and utilities used by Hydra for continuous integration
 14- [`development`](./development)
 15  - `*-modules`, `*-packages`, `*-pkgs`: Package definitions for nested package sets
 16  - All other directories loosely categorise top-level package definitions, see [category hierarchy][categories]
 17- [`build-support`](./build-support): [Builders](https://nixos.org/manual/nixpkgs/stable/#part-builders)
 18  - `fetch*`: [Fetchers](https://nixos.org/manual/nixpkgs/stable/#chap-pkgs-fetchers)
 19- [`stdenv`](./stdenv): [Standard environment](https://nixos.org/manual/nixpkgs/stable/#part-stdenv)
 20- [`pkgs-lib`](./pkgs-lib): Definitions for utilities that need packages but are not needed for packages
 21- [`test`](./test): Tests not directly associated with any specific packages
 22- [`by-name`](./by-name): Top-level packages organised by name ([docs](./by-name/README.md))
 23- All other directories loosely categorise top-level packages definitions, see [category hierarchy][categories]
 24
 25## Quick Start to Adding a Package
 26
 27We welcome new contributors of new packages to Nixpkgs, arguably the greatest software database known. However, each new package comes with a cost for the maintainers, Continuous Integration, caching servers and users downloading Nixpkgs.
 28
 29Before adding a new package, please consider the following questions:
 30
 31* Is the package ready for general use? We don't want to include projects that are too immature or are going to be abandoned immediately. In case of doubt, check with upstream.
 32* Does the project have a clear license statement? Remember that software is unfree by default (all rights reserved), and merely providing access to the source code does not imply its redistribution. In case of doubt, ask upstream.
 33* How realistic is it that it will be used by other people? It's good that nixpkgs caters to various niches, but if it's a niche of 5 people it's probably too small.
 34* Are you willing to maintain the package? You should care enough about the package to be willing to keep it up and running for at least one complete Nixpkgs' release life-cycle.
 35
 36If any of these questions' answer is no, then you should probably not add the package.
 37
 38This is section describes a general framework of understanding and exceptions might apply.
 39
 40Luckily it's pretty easy to maintain your own package set with Nix, which can then be added to the [Nix User Repository](https://github.com/nix-community/nur) project.
 41
 42---
 43
 44Now that this is out of the way. To add a package to Nixpkgs:
 45
 461. Checkout the Nixpkgs source tree:
 47
 48   ```ShellSession
 49   $ git clone https://github.com/NixOS/nixpkgs
 50   $ cd nixpkgs
 51   ```
 52
 532. Create a package directory `pkgs/by-name/so/some-package` where `some-package` is the package name and `so` is the lowercased 2-letter prefix of the package name:
 54
 55   ```ShellSession
 56   $ mkdir -p pkgs/by-name/so/some-package
 57   ```
 58
 59   For more detailed information, see [here](./by-name/README.md).
 60
 613. Create a `package.nix` file in the package directory, containing a Nix expression — a piece of code that describes how to build the package. In this case, it should be a _function_ that is called with the package dependencies as arguments, and returns a build of the package in the Nix store.
 62
 63   ```ShellSession
 64   $ emacs pkgs/by-name/so/some-package/package.nix
 65   $ git add pkgs/by-name/so/some-package/package.nix
 66   ```
 67
 68   If the package is written in a language other than C, you should use [the corresponding language framework](https://nixos.org/manual/nixpkgs/stable/#chap-language-support).
 69
 70   You can have a look at the existing Nix expressions under `pkgs/` to see how it’s done, some of which are also using the [category hierarchy](#category-hierarchy).
 71   Here are some good ones:
 72
 73   - GNU Hello: [`pkgs/by-name/he/hello/package.nix`](./by-name/he/hello/package.nix). Trivial package, which specifies some `meta` attributes which is good practice.
 74
 75   - GNU cpio: [`pkgs/tools/archivers/cpio/default.nix`](tools/archivers/cpio/default.nix). Also a simple package. The generic builder in `stdenv` does everything for you. It has no dependencies beyond `stdenv`.
 76
 77   - GNU Multiple Precision arithmetic library (GMP): [`pkgs/development/libraries/gmp/5.1.x.nix`](development/libraries/gmp/5.1.x.nix). Also done by the generic builder, but has a dependency on `m4`.
 78
 79   - Pan, a GTK-based newsreader: [`pkgs/applications/networking/newsreaders/pan/default.nix`](applications/networking/newsreaders/pan/default.nix). Has an optional dependency on `gtkspell`, which is only built if `spellCheck` is `true`.
 80
 81   - Apache HTTPD: [`pkgs/servers/http/apache-httpd/2.4.nix`](servers/http/apache-httpd/2.4.nix). A bunch of optional features, variable substitutions in the configure flags, a post-install hook, and miscellaneous hackery.
 82
 83   - buildMozillaMach: [`pkgs/applications/networking/browser/firefox/common.nix`](applications/networking/browsers/firefox/common.nix). A reusable build function for Firefox, Thunderbird and Librewolf.
 84
 85   - JDiskReport, a Java utility: [`pkgs/tools/misc/jdiskreport/default.nix`](tools/misc/jdiskreport/default.nix). Nixpkgs doesn’t have a decent `stdenv` for Java yet so this is pretty ad-hoc.
 86
 87   - XML::Simple, a Perl module: [`pkgs/top-level/perl-packages.nix`](top-level/perl-packages.nix) (search for the `XMLSimple` attribute). Most Perl modules are so simple to build that they are defined directly in `perl-packages.nix`; no need to make a separate file for them.
 88
 89   - Adobe Reader: [`pkgs/applications/misc/adobe-reader/default.nix`](applications/misc/adobe-reader/default.nix). Shows how binary-only packages can be supported. In particular the [builder](applications/misc/adobe-reader/builder.sh) uses `patchelf` to set the RUNPATH and ELF interpreter of the executables so that the right libraries are found at runtime.
 90
 91   Some notes:
 92
 93   - Add yourself as the maintainer of the package.
 94
 95   - All other [`meta`](https://nixos.org/manual/nixpkgs/stable/#chap-meta) attributes are optional, but it’s still a good idea to provide at least the `description`, `homepage` and [`license`](https://nixos.org/manual/nixpkgs/stable/#sec-meta-license).
 96
 97   - The exact syntax and semantics of the Nix expression language, including the built-in functions, are [Nix language reference](https://nixos.org/manual/nix/stable/language/).
 98
 995. To test whether the package builds, run the following command from the root of the nixpkgs source tree:
100
101   ```ShellSession
102   $ nix-build -A some-package
103   ```
104
105   where `some-package` should be the package name. You may want to add the flag `-K` to keep the temporary build directory in case something fails. If the build succeeds, a symlink `./result` to the package in the Nix store is created.
106
1076. If you want to install the package into your profile (optional), do
108
109   ```ShellSession
110   $ nix-env -f . -iA libfoo
111   ```
112
1137. Optionally commit the new package and open a pull request [to nixpkgs](https://github.com/NixOS/nixpkgs/pulls), or use [the Patches category](https://discourse.nixos.org/t/about-the-patches-category/477) on Discourse for sending a patch without a GitHub account.
114
115## Commit conventions
116
117- Make sure you read about the [commit conventions](../CONTRIBUTING.md#commit-conventions) common to Nixpkgs as a whole.
118
119- Format the commit messages in the following way:
120
121  ```
122  (pkg-name): (from -> to | init at version | refactor | etc)
123
124  (Motivation for change. Link to release notes. Additional information.)
125  ```
126
127  Examples:
128
129  * nginx: init at 2.0.1
130  * firefox: 54.0.1 -> 55.0
131
132    https://www.mozilla.org/en-US/firefox/55.0/releasenotes/
133
134## Category Hierarchy
135[categories]: #category-hierarchy
136
137Most top-level packages are organised in a loosely-categorised directory hierarchy in this directory.
138See the [overview](#overview) for which directories are part of this.
139
140This category hierarchy is partially deprecated and will be migrated away over time.
141The new `pkgs/by-name` directory ([docs](./by-name/README.md)) should be preferred instead.
142The category hierarchy may still be used for packages that should be imported using an alternate `callPackage`, such as `python3Packages.callPackage` or `libsForQt5.callPackage`.
143
144If that is the case for a new package, here are some rules for picking the right category.
145Many packages fall under several categories; what matters is the _primary_ purpose of a package.
146For example, the `libxml2` package builds both a library and some tools; but it’s a library foremost, so it goes under `pkgs/development/libraries`.
147
148<details>
149<summary>Categories</summary>
150
151**If it’s used to support _software development_:**
152
153- **If it’s a _library_ used by other packages:**
154
155  - `development/libraries` (e.g. `libxml2`)
156
157- **If it’s a _compiler_:**
158
159  - `development/compilers` (e.g. `gcc`)
160
161- **If it’s an _interpreter_:**
162
163  - `development/interpreters` (e.g. `guile`)
164
165- **If it’s a (set of) development _tool(s)_:**
166
167  - **If it’s a _parser generator_ (including lexers):**
168
169    - `development/tools/parsing` (e.g. `bison`, `flex`)
170
171  - **If it’s a _build manager_:**
172
173    - `development/tools/build-managers` (e.g. `gnumake`)
174
175  - **If it’s a _language server_:**
176
177    - `development/tools/language-servers` (e.g. `ccls` or `nil`)
178
179  - **Else:**
180
181    - `development/tools/misc` (e.g. `binutils`)
182
183- **Else:**
184
185  - `development/misc`
186
187**If it’s a (set of) _tool(s)_:**
188
189(A tool is a relatively small program, especially one intended to be used non-interactively.)
190
191- **If it’s for _networking_:**
192
193  - `tools/networking` (e.g. `wget`)
194
195- **If it’s for _text processing_:**
196
197  - `tools/text` (e.g. `diffutils`)
198
199- **If it’s a _system utility_, i.e., something related or essential to the operation of a system:**
200
201  - `tools/system` (e.g. `cron`)
202
203- **If it’s an _archiver_ (which may include a compression function):**
204
205  - `tools/archivers` (e.g. `zip`, `tar`)
206
207- **If it’s a _compression_ program:**
208
209  - `tools/compression` (e.g. `gzip`, `bzip2`)
210
211- **If it’s a _security_-related program:**
212
213  - `tools/security` (e.g. `nmap`, `gnupg`)
214
215- **Else:**
216
217  - `tools/misc`
218
219**If it’s a _shell_:**
220
221- `shells` (e.g. `bash`)
222
223**If it’s a _server_:**
224
225- **If it’s a web server:**
226
227  - `servers/http` (e.g. `apache-httpd`)
228
229- **If it’s an implementation of the X Windowing System:**
230
231  - `servers/x11` (e.g. `xorg` — this includes the client libraries and programs)
232
233- **Else:**
234
235  - `servers/misc`
236
237**If it’s a _desktop environment_:**
238
239- `desktops` (e.g. `kde`, `gnome`, `enlightenment`)
240
241**If it’s a _window manager_:**
242
243- `applications/window-managers` (e.g. `awesome`, `stumpwm`)
244
245**If it’s an _application_:**
246
247A (typically large) program with a distinct user interface, primarily used interactively.
248
249- **If it’s a _version management system_:**
250
251  - `applications/version-management` (e.g. `subversion`)
252
253- **If it’s a _terminal emulator_:**
254
255  - `applications/terminal-emulators` (e.g. `alacritty` or `rxvt` or `termite`)
256
257- **If it’s a _file manager_:**
258
259  - `applications/file-managers` (e.g. `mc` or `ranger` or `pcmanfm`)
260
261- **If it’s for _video playback / editing_:**
262
263  - `applications/video` (e.g. `vlc`)
264
265- **If it’s for _graphics viewing / editing_:**
266
267  - `applications/graphics` (e.g. `gimp`)
268
269- **If it’s for _networking_:**
270
271  - **If it’s a _mailreader_:**
272
273    - `applications/networking/mailreaders` (e.g. `thunderbird`)
274
275  - **If it’s a _newsreader_:**
276
277    - `applications/networking/newsreaders` (e.g. `pan`)
278
279  - **If it’s a _web browser_:**
280
281    - `applications/networking/browsers` (e.g. `firefox`)
282
283  - **Else:**
284
285    - `applications/networking/misc`
286
287- **Else:**
288
289  - `applications/misc`
290
291**If it’s _data_ (i.e., does not have a straight-forward executable semantics):**
292
293- **If it’s a _font_:**
294
295  - `data/fonts`
296
297- **If it’s an _icon theme_:**
298
299  - `data/icons`
300
301- **If it’s related to _SGML/XML processing_:**
302
303  - **If it’s an _XML DTD_:**
304
305    - `data/sgml+xml/schemas/xml-dtd` (e.g. `docbook`)
306
307  - **If it’s an _XSLT stylesheet_:**
308
309    (Okay, these are executable...)
310
311    - `data/sgml+xml/stylesheets/xslt` (e.g. `docbook-xsl`)
312
313- **If it’s a _theme_ for a _desktop environment_, a _window manager_ or a _display manager_:**
314
315  - `data/themes`
316
317**If it’s a _game_:**
318
319- `games`
320
321**Else:**
322
323- `misc`
324
325</details>
326
327# Conventions
328
329## Package naming
330
331The key words _must_, _must not_, _required_, _shall_, _shall not_, _should_, _should not_, _recommended_, _may_, and _optional_ in this section are to be interpreted as described in [RFC 2119](https://tools.ietf.org/html/rfc2119). Only _emphasized_ words are to be interpreted in this way.
332
333In Nixpkgs, there are generally three different names associated with a package:
334
335- The `pname` attribute of the derivation. This is what most users see, in particular when using `nix-env`.
336
337- The variable name used for the instantiated package in `all-packages.nix`, and when passing it as a dependency to other functions. Typically this is called the _package attribute name_. This is what Nix expression authors see. It can also be used when installing using `nix-env -iA`.
338
339- The filename for (the directory containing) the Nix expression.
340
341Most of the time, these are the same. For instance, the package `e2fsprogs` has a `pname` attribute `"e2fsprogs"`, is bound to the variable name `e2fsprogs` in `all-packages.nix`, and the Nix expression is in `pkgs/os-specific/linux/e2fsprogs/default.nix`.
342
343There are a few naming guidelines:
344
345- The `pname` attribute _should_ be identical to the upstream package name.
346
347- The `pname` and the `version` attribute _must not_ contain uppercase letters — e.g., `"mplayer"` instead of `"MPlayer"`.
348
349- The `version` attribute _must_ start with a digit e.g., `"0.3.1rc2"`.
350
351- If a package is a commit from a repository without a version assigned, then the `version` attribute _should_ be the latest upstream version preceding that commit, followed by `-unstable-` and the date of the (fetched) commit. The date _must_ be in `"YYYY-MM-DD"` format.
352
353Example: Given a project had its latest releases `2.2` in November 2021, and `3.0` in January 2022, a commit authored on March 15, 2022 for an upcoming bugfix release `2.2.1` would have `version = "2.2-unstable-2022-03-15"`.
354
355- If a project has no suitable preceding releases - e.g., no versions at all, or an incompatible versioning / tagging schema - then the latest upstream version in the above schema should be `0`.
356
357Example: Given a project that has no tags / released versions at all, or applies versionless tags like `latest` or `YYYY-MM-DD-Build`, a commit authored on March 15, 2022 would have `version = "0-unstable-2022-03-15"`.
358
359- Dashes in the package `pname` _should_ be preserved in new variable names, rather than converted to underscores or camel cased — e.g., `http-parser` instead of `http_parser` or `httpParser`. The hyphenated style is preferred in all three package names.
360
361- If there are multiple versions of a package, this _should_ be reflected in the variable names in `all-packages.nix`, e.g. `json-c_0_9` and `json-c_0_11`. If there is an obvious “default” version, make an attribute like `json-c = json-c_0_9;`. See also [versioning][versioning].
362
363## Versioning
364[versioning]: #versioning
365
366Because every version of a package in Nixpkgs creates a potential maintenance burden, old versions of a package should not be kept unless there is a good reason to do so. For instance, Nixpkgs contains several versions of GCC because other packages don’t build with the latest version of GCC. Other examples are having both the latest stable and latest pre-release version of a package, or to keep several major releases of an application that differ significantly in functionality.
367
368If there is only one version of a package, its Nix expression should be named `e2fsprogs/default.nix`. If there are multiple versions, this should be reflected in the filename, e.g. `e2fsprogs/1.41.8.nix` and `e2fsprogs/1.41.9.nix`. The version in the filename should leave out unnecessary detail. For instance, if we keep the latest Firefox 2.0.x and 3.5.x versions in Nixpkgs, they should be named `firefox/2.0.nix` and `firefox/3.5.nix`, respectively (which, at a given point, might contain versions `2.0.0.20` and `3.5.4`). If a version requires many auxiliary files, you can use a subdirectory for each version, e.g. `firefox/2.0/default.nix` and `firefox/3.5/default.nix`.
369
370All versions of a package _must_ be included in `all-packages.nix` to make sure that they evaluate correctly.
371
372## Meta attributes
373
374* `meta.description` must:
375  * Be short, just one sentence.
376  * Be capitalized.
377  * Not start with the package name.
378    * More generally, it should not refer to the package name.
379  * Not end with a period (or any punctuation for that matter).
380  * Provide factual information.
381    * Avoid subjective language.
382* `meta.license` must be set and match the upstream license.
383  * If there is no upstream license, `meta.license` should default to `lib.licenses.unfree`.
384  * If in doubt, try to contact the upstream developers for clarification.
385* `meta.mainProgram` must be set to the name of the executable which facilitates the primary function or purpose of the package, if there is such an executable in `$bin/bin/` (or `$out/bin/`, if there is no `"bin"` output).
386  * Packages that only have a single executable in the applicable directory above should set `meta.mainProgram`. For example, the package `ripgrep` only has a single executable `rg` under `$out/bin/`, so `ripgrep.meta.mainProgram` is set to `"rg"`.
387  * Packages like `polkit_gnome` that have no executables in the applicable directory should not set `meta.mainProgram`.
388  * Packages like `e2fsprogs` that have multiple executables, none of which can be considered the main program, should not set `meta.mainProgram`.
389  * Packages which are not primarily used for a single executable do not need to set `meta.mainProgram`.
390  * Always prefer using a hardcoded string (don't use `pname`, for example).
391  * When in doubt, ask for reviewer input.
392* `meta.maintainers` must be set for new packages.
393
394See the Nixpkgs manual for more details on [standard meta-attributes](https://nixos.org/nixpkgs/manual/#sec-standard-meta-attributes).
395
396## Import From Derivation
397
398[Import From Derivation](https://nixos.org/manual/nix/unstable/language/import-from-derivation) (IFD) is disallowed in Nixpkgs for performance reasons:
399[Hydra](https://github.com/NixOS/hydra) evaluates the entire package set, and sequential builds during evaluation would increase evaluation times to become impractical.
400
401Import From Derivation can be worked around in some cases by committing generated intermediate files to version control and reading those instead.
402
403## Sources
404
405Always fetch source files using [Nixpkgs fetchers](https://nixos.org/manual/nixpkgs/unstable/#chap-pkgs-fetchers).
406Use reproducible sources with a high degree of availability.
407Prefer protocols that support proxies.
408
409A list of schemes for `mirror://` URLs can be found in [`pkgs/build-support/fetchurl/mirrors.nix`](build-support/fetchurl/mirrors.nix), and is supported by [`fetchurl`](https://nixos.org/manual/nixpkgs/unstable/#fetchurl).
410Other fetchers which end up relying on `fetchurl` may also support mirroring.
411
412The preferred source hash type is `sha256`.
413
414Examples going from bad to best practices:
415
416- Bad: Uses `git://` which won't be proxied.
417
418  ```nix
419  {
420    src = fetchgit {
421      url = "git://github.com/NixOS/nix.git";
422      rev = "1f795f9f44607cc5bec70d1300150bfefcef2aae";
423      hash = "sha256-7D4m+saJjbSFP5hOwpQq2FGR2rr+psQMTcyb1ZvtXsQ=";
424    };
425  }
426  ```
427
428- Better: This is ok, but an archive fetch will still be faster.
429
430  ```nix
431  {
432    src = fetchgit {
433      url = "https://github.com/NixOS/nix.git";
434      rev = "1f795f9f44607cc5bec70d1300150bfefcef2aae";
435      hash = "sha256-7D4m+saJjbSFP5hOwpQq2FGR2rr+psQMTcyb1ZvtXsQ=";
436    };
437  }
438  ```
439
440- Best: Fetches a snapshot archive for the given revision.
441
442  ```nix
443  {
444    src = fetchFromGitHub {
445      owner = "NixOS";
446      repo = "nix";
447      rev = "1f795f9f44607cc5bec70d1300150bfefcef2aae";
448      hash = "sha256-7D4m+saJjbSFP5hOwpQq2FGR2rr+psQMTcyb1ZvtXsQ=";
449    };
450  }
451  ```
452
453> [!Note]
454> When fetching from GitHub, always reference revisions by their full commit hash.
455> GitHub shares commit hashes among all forks and returns `404 Not Found` when a short commit hash is ambiguous.
456> It already happened in Nixpkgs for short, 6-character commit hashes.
457>
458> Pushing large amounts of auto generated commits into forks is a practical vector for a denial-of-service attack, and was already [demonstrated against GitHub Actions Beta](https://blog.teddykatz.com/2019/11/12/github-actions-dos.html).
459
460## Patches
461
462Patches available online should be retrieved using `fetchpatch`.
463
464```nix
465{
466  patches = [
467    (fetchpatch {
468      name = "fix-check-for-using-shared-freetype-lib.patch";
469      url = "http://git.ghostscript.com/?p=ghostpdl.git;a=patch;h=8f5d285";
470      hash = "sha256-uRcxaCjd+WAuGrXOmGfFeu79cUILwkRdBu48mwcBE7g=";
471    })
472  ];
473}
474```
475
476Otherwise, you can add a `.patch` file to the `nixpkgs` repository. In the interest of keeping our maintenance burden to a minimum, only patches that are unique to `nixpkgs` should be added in this way.
477
478If a patch is available online but does not cleanly apply, it can be modified in some fixed ways by using additional optional arguments for `fetchpatch`. Check [the `fetchpatch` reference](https://nixos.org/manual/nixpkgs/unstable/#fetchpatch) for details.
479
480```nix
481{
482  patches = [ ./0001-changes.patch ];
483}
484```
485
486If you do need to do create this sort of patch file, one way to do so is with git:
487
4881. Move to the root directory of the source code you're patching.
489
490    ```ShellSession
491    $ cd the/program/source
492    ```
493
4942. If a git repository is not already present, create one and stage all of the source files.
495
496    ```ShellSession
497    $ git init
498    $ git add .
499    ```
500
5013. Edit some files to make whatever changes need to be included in the patch.
502
5034. Use git to create a diff, and pipe the output to a patch file:
504
505    ```ShellSession
506    $ git diff -a > nixpkgs/pkgs/the/package/0001-changes.patch
507    ```
508
509## Deprecating/removing packages
510
511There is currently no policy when to remove a package.
512
513Before removing a package, one should try to find a new maintainer or fix smaller issues first.
514
515### Steps to remove a package from Nixpkgs
516
517We use jbidwatcher as an example for a discontinued project here.
518
5191. Have Nixpkgs checked out locally and up to date.
5201. Create a new branch for your change, e.g. `git checkout -b jbidwatcher`
5211. Remove the actual package including its directory, e.g. `git rm -rf pkgs/applications/misc/jbidwatcher`
5221. Remove the package from the list of all packages (`pkgs/top-level/all-packages.nix`).
5231. Add an alias for the package name in `pkgs/top-level/aliases.nix` (There is also `pkgs/applications/editors/vim/plugins/aliases.nix`. Package sets typically do not have aliases, so we can't add them there.)
524
525    For example in this case:
526
527    ```nix
528    {
529      jbidwatcher = throw "jbidwatcher was discontinued in march 2021"; # added 2021-03-15
530    }
531    ```
532
533    The throw message should explain in short why the package was removed for users that still have it installed.
534
5351. Test if the changes introduced any issues by running `nix-env -qaP -f . --show-trace`. It should show the list of packages without errors.
5361. Commit the changes. Explain again why the package was removed. If it was declared discontinued upstream, add a link to the source.
537
538    ```ShellSession
539    $ git add pkgs/applications/misc/jbidwatcher/default.nix pkgs/top-level/all-packages.nix pkgs/top-level/aliases.nix
540    $ git commit
541    ```
542
543    Example commit message:
544
545    ```
546    jbidwatcher: remove
547
548    project was discontinued in march 2021. the program does not work anymore because ebay changed the login.
549
550    https://web.archive.org/web/20210315205723/http://www.jbidwatcher.com/
551    ```
552
5531. Push changes to your GitHub fork with `git push`
5541. Create a pull request against Nixpkgs. Mention the package maintainer.
555
556This is how the pull request looks like in this case: [https://github.com/NixOS/nixpkgs/pull/116470](https://github.com/NixOS/nixpkgs/pull/116470)
557
558## Package tests
559
560To run the main types of tests locally:
561
562- Run package-internal tests with `nix-build --attr pkgs.PACKAGE.passthru.tests`
563- Run [NixOS tests](https://nixos.org/manual/nixos/unstable/#sec-nixos-tests) with `nix-build --attr nixosTests.NAME`, where `NAME` is the name of the test listed in `nixos/tests/all-tests.nix`
564- Run [global package tests](https://nixos.org/manual/nixpkgs/unstable/#sec-package-tests) with `nix-build --attr tests.PACKAGE`, where `PACKAGE` is the name of the test listed in `pkgs/test/default.nix`
565- See `lib/tests/NAME.nix` for instructions on running specific library tests
566
567Tests are important to ensure quality and make reviews and automatic updates easy.
568
569The following types of tests exists:
570
571* [NixOS **module tests**](https://nixos.org/manual/nixos/stable/#sec-nixos-tests), which spawn one or more NixOS VMs. They exercise both NixOS modules and the packaged programs used within them. For example, a NixOS module test can start a web server VM running the `nginx` module, and a client VM running `curl` or a graphical `firefox`, and test that they can talk to each other and display the correct content.
572* Nix **package tests** are a lightweight alternative to NixOS module tests. They should be used to create simple integration tests for packages, but cannot test NixOS services, and some programs with graphical user interfaces may also be difficult to test with them.
573* The **`checkPhase` of a package**, which should execute the unit tests that are included in the source code of a package.
574
575Here in the nixpkgs manual we describe mostly _package tests_; for _module tests_ head over to the corresponding [section in the NixOS manual](https://nixos.org/manual/nixos/stable/#sec-nixos-tests).
576
577### Writing inline package tests
578
579For very simple tests, they can be written inline:
580
581```nix
582{ /* ... , */ yq-go }:
583
584buildGoModule rec {
585  # …
586
587  passthru.tests = {
588    simple = runCommand "${pname}-test" {} ''
589      echo "test: 1" | ${yq-go}/bin/yq eval -j > $out
590      [ "$(cat $out | tr -d $'\n ')" = '{"test":1}' ]
591    '';
592  };
593}
594```
595
596### Writing larger package tests
597[larger-package-tests]: #writing-larger-package-tests
598
599This is an example using the `phoronix-test-suite` package with the current best practices.
600
601Add the tests in `passthru.tests` to the package definition like this:
602
603```nix
604{ stdenv, lib, fetchurl, callPackage }:
605
606stdenv.mkDerivation {
607  # …
608
609  passthru.tests = {
610    simple-execution = callPackage ./tests.nix { };
611  };
612
613  meta = { /* … */ };
614}
615```
616
617Create `tests.nix` in the package directory:
618
619```nix
620{ runCommand, phoronix-test-suite }:
621
622let
623  inherit (phoronix-test-suite) pname version;
624in
625
626runCommand "${pname}-tests" { meta.timeout = 60; }
627  ''
628    # automatic initial setup to prevent interactive questions
629    ${phoronix-test-suite}/bin/phoronix-test-suite enterprise-setup >/dev/null
630    # get version of installed program and compare with package version
631    if [[ `${phoronix-test-suite}/bin/phoronix-test-suite version` != *"${version}"*  ]]; then
632      echo "Error: program version does not match package version"
633      exit 1
634    fi
635    # run dummy command
636    ${phoronix-test-suite}/bin/phoronix-test-suite dummy_module.dummy-command >/dev/null
637    # needed for Nix to register the command as successful
638    touch $out
639  ''
640```
641
642### Running package tests
643
644You can run these tests with:
645
646```ShellSession
647$ cd path/to/nixpkgs
648$ nix-build -A phoronix-test-suite.tests
649```
650
651### Examples of package tests
652
653Here are examples of package tests:
654
655- [Jasmin compile test](development/compilers/jasmin/test-assemble-hello-world/default.nix)
656- [Lobster compile test](development/compilers/lobster/test-can-run-hello-world.nix)
657- [Spacy annotation test](development/python-modules/spacy/annotation-test/default.nix)
658- [Libtorch test](development/libraries/science/math/libtorch/test/default.nix)
659- [Multiple tests for nanopb](development/libraries/nanopb/default.nix)
660
661### Linking NixOS module tests to a package
662
663Like [package tests][larger-package-tests] as shown above, [NixOS module tests](https://nixos.org/manual/nixos/stable/#sec-nixos-tests) can also be linked to a package, so that the tests can be easily run when changing the related package.
664
665For example, assuming we're packaging `nginx`, we can link its module test via `passthru.tests`:
666
667```nix
668{ stdenv, lib, nixosTests }:
669
670stdenv.mkDerivation {
671  # ...
672
673  passthru.tests = {
674    nginx = nixosTests.nginx;
675  };
676
677  # ...
678}
679```
680
681## Reviewing contributions
682
683### Package updates
684
685A package update is the most trivial and common type of pull request. These pull requests mainly consist of updating the version part of the package name and the source hash.
686
687It can happen that non-trivial updates include patches or more complex changes.
688
689Reviewing process:
690
691- Ensure that the package versioning [fits the guidelines](#versioning).
692- Ensure that the commit text [fits the guidelines](../CONTRIBUTING.md#commit-conventions).
693- Ensure that the package maintainers are notified.
694  - [CODEOWNERS](https://help.github.com/articles/about-codeowners) will make GitHub notify users based on the submitted changes, but it can happen that it misses some of the package maintainers.
695- Ensure that the meta field information [fits the guidelines](#meta-attributes) and is correct:
696  - License can change with version updates, so it should be checked to match the upstream license.
697  - If the package has no maintainer, a maintainer must be set. This can be the update submitter or a community member that accepts to take maintainership of the package.
698- Ensure that the code contains no typos.
699- Build the package locally.
700  - Pull requests are often targeted to the master or staging branch, and building the pull request locally when it is submitted can trigger many source builds.
701  - It is possible to rebase the changes on nixos-unstable or nixpkgs-unstable for easier review by running the following commands from a nixpkgs clone.
702
703    ```ShellSession
704    $ git fetch origin nixos-unstable
705    $ git fetch origin pull/PRNUMBER/head
706    $ git rebase --onto nixos-unstable BASEBRANCH FETCH_HEAD
707    ```
708
709    - The first command fetches the nixos-unstable branch.
710    - The second command fetches the pull request changes, `PRNUMBER` is the number at the end of the pull request title and `BASEBRANCH` the base branch of the pull request.
711    - The third command rebases the pull request changes to the nixos-unstable branch.
712  - The [nixpkgs-review](https://github.com/Mic92/nixpkgs-review) tool can be used to review a pull request content in a single command. `PRNUMBER` should be replaced by the number at the end of the pull request title. You can also provide the full github pull request url.
713
714    ```ShellSession
715    $ nix-shell -p nixpkgs-review --run "nixpkgs-review pr PRNUMBER"
716    ```
717- Run every binary.
718
719Sample template for a package update review is provided below.
720
721```markdown
722##### Reviewed points
723
724- [ ] package name fits guidelines
725- [ ] package version fits guidelines
726- [ ] package builds on ARCHITECTURE
727- [ ] executables tested on ARCHITECTURE
728- [ ] all depending packages build
729- [ ] patches have a comment describing either the upstream URL or a reason why the patch wasn't upstreamed
730- [ ] patches that are remotely available are fetched rather than vendored
731
732##### Possible improvements
733
734##### Comments
735```
736
737### New packages
738
739New packages are a common type of pull requests. These pull requests consists in adding a new nix-expression for a package.
740
741Review process:
742
743- Ensure that all file paths [fit the guidelines](../CONTRIBUTING.md#file-naming-and-organisation).
744- Ensure that the package name and version [fits the guidelines](#package-naming).
745- Ensure that the package versioning [fits the guidelines](#versioning).
746- Ensure that the commit text [fits the guidelines](../CONTRIBUTING.md#commit-conventions).
747- Ensure that the meta fields [fits the guidelines](#meta-attributes) and contain the correct information:
748  - License must match the upstream license.
749  - Platforms should be set (or the package will not get binary substitutes).
750  - Maintainers must be set. This can be the package submitter or a community member that accepts taking up maintainership of the package.
751  - The `meta.mainProgram` must be set if a main executable exists.
752- Report detected typos.
753- Ensure the package source:
754  - Uses `mirror://` URLs when available.
755  - Uses the most appropriate functions (e.g. packages from GitHub should use `fetchFromGitHub`).
756- Build the package locally.
757- Run every binary.
758
759Sample template for a new package review is provided below.
760
761```markdown
762##### Reviewed points
763
764- [ ] package path fits guidelines
765- [ ] package name fits guidelines
766- [ ] package version fits guidelines
767- [ ] package builds on ARCHITECTURE
768- [ ] executables tested on ARCHITECTURE
769- [ ] `meta.description` is set and fits guidelines
770- [ ] `meta.license` fits upstream license
771- [ ] `meta.platforms` is set
772- [ ] `meta.maintainers` is set
773- [ ] `meta.mainProgram` is set, if applicable.
774- [ ] build time only dependencies are declared in `nativeBuildInputs`
775- [ ] source is fetched using the appropriate function
776- [ ] the list of `phases` is not overridden
777- [ ] when a phase (like `installPhase`) is overridden it starts with `runHook preInstall` and ends with `runHook postInstall`.
778- [ ] patches have a comment describing either the upstream URL or a reason why the patch wasn't upstreamed
779- [ ] patches that are remotely available are fetched rather than vendored
780
781##### Possible improvements
782
783##### Comments
784```
785
786## Security
787
788### Submitting security fixes
789[security-fixes]: #submitting-security-fixes
790
791Security fixes are submitted in the same way as other changes and thus the same guidelines apply.
792
793- If a new version fixing the vulnerability has been released, update the package;
794- If the security fix comes in the form of a patch and a CVE is available, then add the patch to the Nixpkgs tree, and apply it to the package.
795  The name of the patch should be the CVE identifier, so e.g. `CVE-2019-13636.patch`; If a patch is fetched the name needs to be set as well, e.g.:
796
797  ```nix
798  (fetchpatch {
799    name = "CVE-2019-11068.patch";
800    url = "https://gitlab.gnome.org/GNOME/libxslt/commit/e03553605b45c88f0b4b2980adfbbb8f6fca2fd6.patch";
801    hash = "sha256-SEKe/8HcW0UBHCfPTTOnpRlzmV2nQPPeL6HOMxBZd14=";
802  })
803  ```
804
805If a security fix applies to both master and a stable release then, similar to regular changes, they are preferably delivered via master first and cherry-picked to the release branch.
806
807Critical security fixes may by-pass the staging branches and be delivered directly to release branches such as `master` and `release-*`.
808
809### Vulnerability Roundup
810
811#### Issues
812
813Vulnerable packages in Nixpkgs are managed using issues.
814Currently opened ones can be found using the following:
815
816[github.com/NixOS/nixpkgs/issues?q=is:issue+is:open+"Vulnerability+roundup"](https://github.com/NixOS/nixpkgs/issues?q=is%3Aissue+is%3Aopen+%22Vulnerability+roundup%22)
817
818Each issue correspond to a vulnerable version of a package; As a consequence:
819
820- One issue can contain several CVEs;
821- One CVE can be shared across several issues;
822- A single package can be concerned by several issues.
823
824
825A "Vulnerability roundup" issue usually respects the following format:
826
827```txt
828<link to relevant package search on search.nix.gsc.io>, <link to relevant files in Nixpkgs on GitHub>
829
830<list of related CVEs, their CVSS score, and the impacted NixOS version>
831
832<list of the scanned Nixpkgs versions>
833
834<list of relevant contributors>
835```
836
837Note that there can be an extra comment containing links to previously reported (and still open) issues for the same package.
838
839
840#### Triaging and Fixing
841
842**Note**: An issue can be a "false positive" (i.e. automatically opened, but without the package it refers to being actually vulnerable).
843If you find such a "false positive", comment on the issue an explanation of why it falls into this category, linking as much information as the necessary to help maintainers double check.
844
845If you are investigating a "true positive":
846
847- Find the earliest patched version or a code patch in the CVE details;
848- Is the issue already patched (version up-to-date or patch applied manually) in Nixpkgs's `master` branch?
849  - **No**:
850    - [Submit a security fix][security-fixes];
851    - Once the fix is merged into `master`, [submit the change to the vulnerable release branch(es)](../CONTRIBUTING.md#how-to-backport-pull-requests);
852  - **Yes**: [Backport the change to the vulnerable release branch(es)](../CONTRIBUTING.md#how-to-backport-pull-requests).
853- When the patch has made it into all the relevant branches (`master`, and the vulnerable releases), close the relevant issue(s).