tjh.dev / nixpkgs
Clone of https://github.com/NixOS/nixpkgs.git (to stress-test knotserver)
fork atom
nixpkgs / pkgs / README.md
at devShellTools-shell 53 kB view raw view rendered
1# Contributing to Nixpkgs packages 2 3This document is for people wanting to contribute specifically to the package collection in Nixpkgs. 4See the [CONTRIBUTING.md](../CONTRIBUTING.md) document for more general information. 5 6## Overview 7 8- [`top-level`](./top-level): Entrypoints, package set aggregations 9 - [`impure.nix`](./top-level/impure.nix), [`default.nix`](./top-level/default.nix), [`config.nix`](./top-level/config.nix): Definitions for the evaluation entry point of `import <nixpkgs>` 10 - [`stage.nix`](./top-level/stage.nix), [`all-packages.nix`](./top-level/all-packages.nix), [`by-name-overlay.nix`](./top-level/by-name-overlay.nix), [`splice.nix`](./top-level/splice.nix): Definitions for the top-level attribute set made available through `import <nixpkgs> {…}` 11 - `*-packages.nix`, [`linux-kernels.nix`](./top-level/linux-kernels.nix), [`unixtools.nix`](./top-level/unixtools.nix): Aggregations of nested package sets defined in `development` 12 - [`aliases.nix`](./top-level/aliases.nix), [`python-aliases.nix`](./top-level/python-aliases.nix): Aliases for package definitions that have been renamed or removed 13 - `release*.nix`, [`make-tarball.nix`](./top-level/make-tarball.nix), [`packages-config.nix`](./top-level/packages-config.nix), [`metrics.nix`](./top-level/metrics.nix), [`nixpkgs-basic-release-checks.nix`](./top-level/nixpkgs-basic-release-checks.nix): Entry-points and utilities used by Hydra for continuous integration 14- [`development`](./development) 15 - `*-modules`, `*-packages`, `*-pkgs`: Package definitions for nested package sets 16 - All other directories loosely categorise top-level package definitions, see [category hierarchy][categories] 17- [`build-support`](./build-support): [Builders](https://nixos.org/manual/nixpkgs/stable/#part-builders) 18 - `fetch*`: [Fetchers](https://nixos.org/manual/nixpkgs/stable/#chap-pkgs-fetchers) 19- [`stdenv`](./stdenv): [Standard environment](https://nixos.org/manual/nixpkgs/stable/#part-stdenv) 20- [`pkgs-lib`](./pkgs-lib): Definitions for utilities that need packages but are not needed for packages 21- [`test`](./test): Tests not directly associated with any specific packages 22- [`by-name`](./by-name): Top-level packages organised by name ([docs](./by-name/README.md)) 23- All other directories loosely categorise top-level packages definitions, see [category hierarchy][categories] 24 25## Quick Start to Adding a Package 26 27We welcome new contributors of new packages to Nixpkgs, arguably the greatest software database known. 28However, each new package comes with a cost for the maintainers, Continuous Integration, caching servers and users downloading Nixpkgs. 29 30Before adding a new package, please consider the following questions: 31 32* Is the package ready for general use? 33 We don't want to include projects that are too immature or are going to be abandoned immediately. 34 In case of doubt, check with upstream. 35* Does the project have a clear license statement? 36 Remember that software is unfree by default (all rights reserved), and merely providing access to the source code does not imply its redistribution. 37 In case of doubt, ask upstream. 38* How realistic is it that it will be used by other people? 39 It's good that nixpkgs caters to various niches, but if it's a niche of 5 people it's probably too small. 40 A good estimate is checking upstream issues and pull requests, or other software repositories. 41 Library packages should have at least one dependent. 42* Is the software actively maintained upstream? 43 Especially packages that are security-critical, rely on fast-moving dependencies, or affect data integrity should see regular maintenance. 44* Are you willing to maintain the package? 45 You should care enough about the package to be willing to keep it up and running for at least one complete Nixpkgs' release life-cycle. 46 * In case you are not able to maintain the package you wrote, you can seek someone to fill that role, effectively adopting the package. 47 48If any of these questions' answer is no, then you should probably not add the package. 49 50Special care has to be taken with security-critical software components. 51Because entries in the Nix store are inert and do nothing by themselves, packages should be considered by their intended use, e.g. when used together with a NixOS module. 52 53* Any package that immediately would need to be tagged with `meta.knownVulnerabilities` is unlikely to be fit for nixpkgs. 54* Any package depending on a known-vulnerable library should be considered carefully. 55* Packages typically used with untrusted data should have a maintained and responsible upstream. 56 For example: 57 * Any package which does not follow upstream security policies should be considered vulnerable. 58 In particular, packages that vendor or fork web engines like Blink, Gecko or Webkit need to keep up with the frequent updates of those projects. 59 * Any security-critical fast-moving package such as Chrome or Firefox (or their forks) must have at least one active committer among the maintainers. 60 This ensures no critical fixes are delayed unnecessarily, endangering unsuspecting users. 61 * Services which typically work on web traffic are working on untrusted input. 62 * Data (such as archives or rich documents) commonly shared over untrusted channels (e.g. email) is untrusted. 63* Applications in the Unix authentication stack such as PAM/D-Bus modules or SUID binaries should be considered carefully, and should have a maintained and responsible upstream. 64* Encryption libraries should have a maintained and responsible upstream. 65* Security-critical components that are part of larger packages should be unvendored (=use the nixpkgs package as dependency, instead of vendored and pinned sources). 66* A "responsible upstream" includes various aspects, such as: 67 * channels to disclose security concerns 68 * being responsive to security concerns, providing fixes or workarounds 69 * transparent public disclosure of security issues when they are found or fixed 70 * These aspects are sometimes hard to verify, in which case an upstream that is not known to be irresponsible should be considered as responsible. 71* Source-available software should be built from source where possible. 72 Binary blobs risk supply chain attacks and vendored outdated libraries. 73 74This section describes a general framework of understanding and exceptions might apply. 75 76Luckily it's pretty easy to maintain your own package set with Nix, which can then be added to the [Nix User Repository](https://github.com/nix-community/nur) project. 77 78--- 79 80Now that this is out of the way. 81To add a package to Nixpkgs: 82 831. Checkout the Nixpkgs source tree: 84 85 ```ShellSession 86 $ git clone https://github.com/NixOS/nixpkgs 87 $ cd nixpkgs 88 ``` 89 902. Create a package directory `pkgs/by-name/so/some-package` where `some-package` is the package name and `so` is the lowercased 2-letter prefix of the package name: 91 92 ```ShellSession 93 $ mkdir -p pkgs/by-name/so/some-package 94 ``` 95 96 For more detailed information, see [here](./by-name/README.md). 97 983. Create a `package.nix` file in the package directory, containing a Nix expression — a piece of code that describes how to build the package. 99 In this case, it should be a _function_ that is called with the package dependencies as arguments, and returns a build of the package in the Nix store. 100 101 ```ShellSession 102 $ emacs pkgs/by-name/so/some-package/package.nix 103 $ git add pkgs/by-name/so/some-package/package.nix 104 ``` 105 106 If the package is written in a language other than C, you should use [the corresponding language framework](https://nixos.org/manual/nixpkgs/stable/#chap-language-support). 107 108 You can have a look at the existing Nix expressions under `pkgs/` to see how it’s done, some of which are also using the [category hierarchy](#category-hierarchy). 109 Here are some good ones: 110 111 - GNU Hello: [`pkgs/by-name/he/hello/package.nix`](./by-name/he/hello/package.nix). 112 Trivial package, which specifies some `meta` attributes which is good practice. 113 114 - GNU cpio: [`pkgs/by-name/cp/cpio/package.nix`](./by-name/cp/cpio/package.nix). 115 Also a simple package. 116 The generic builder in `stdenv` does everything for you. 117 It has no dependencies beyond `stdenv`. 118 119 - GNU Multiple Precision arithmetic library (GMP): [`pkgs/development/libraries/gmp`](development/libraries/gmp). 120 Also done by the generic builder, but has a dependency on `m4`. 121 122 - Pan, a GTK-based newsreader: [`pkgs/by-name/pa/pan/package.nix`](./by-name/pa/pan/package.nix). 123 Has an optional dependency on `gspell`, which is only built if `spellCheck` is `true`. 124 125 - Apache HTTPD: [`pkgs/servers/http/apache-httpd/2.4.nix`](servers/http/apache-httpd/2.4.nix). 126 A bunch of optional features, variable substitutions in the configure flags, a post-install hook, and miscellaneous hackery. 127 128 - buildMozillaMach: [`pkgs/applications/networking/browser/firefox/common.nix`](applications/networking/browsers/firefox/common.nix). 129 A reusable build function for Firefox, Thunderbird and Librewolf. 130 131 - JDiskReport, a Java utility: [`pkgs/by-name/jd/jdiskreport/package.nix`](./by-name/jd/jdiskreport/package.nix). 132 Nixpkgs doesn’t have a decent `stdenv` for Java yet so this is pretty ad-hoc. 133 134 - XML::Simple, a Perl module: [`pkgs/top-level/perl-packages.nix`](top-level/perl-packages.nix) (search for the `XMLSimple` attribute). 135 Most Perl modules are so simple to build that they are defined directly in `perl-packages.nix`; no need to make a separate file for them. 136 137 - Discord Game SDK: [`pkgs/by-name/di/discord-gamesdk/package.nix`](./by-name/di/discord-gamesdk/package.nix). 138 Shows how binary-only packages can be supported. 139 In particular, the `autoPatchelfHook` is used to set the RUNPATH and ELF interpreter of the executables so that the right libraries are found at runtime. 140 141 Some notes: 142 143 - Add yourself as the maintainer of the package. 144 145 - If this is your first time contributing (welcome!), [add yourself to the maintainers list](../maintainers/README.md#how-to-become-a-maintainer) in a separate commit. 146 147 - All other [`meta`](https://nixos.org/manual/nixpkgs/stable/#chap-meta) attributes are optional, but it’s still a good idea to provide at least the `description`, `homepage` and [`license`](https://nixos.org/manual/nixpkgs/stable/#sec-meta-license). 148 149 - The exact syntax and semantics of the Nix expression language, including the built-in functions, are [Nix language reference](https://nixos.org/manual/nix/stable/language/). 150 1515. To test whether the package builds, run the following command from the root of the nixpkgs source tree: 152 153 ```ShellSession 154 $ nix-build -A some-package 155 ``` 156 157 where `some-package` should be the package name. 158 You may want to add the flag `-K` to keep the temporary build directory in case something fails. 159 If the build succeeds, a symlink `./result` to the package in the Nix store is created. 160 1616. If you want to install the package into your profile (optional), do 162 163 ```ShellSession 164 $ nix-env -f . -iA libfoo 165 ``` 166 1677. Optionally commit the new package and open a pull request [to nixpkgs](https://github.com/NixOS/nixpkgs/pulls), or use [the Patches category](https://discourse.nixos.org/t/about-the-patches-category/477) on Discourse for sending a patch without a GitHub account. 168 169## Commit conventions 170 171- Make sure you read about the [commit conventions](../CONTRIBUTING.md#commit-conventions) common to Nixpkgs as a whole. 172 173- Format the commit messages in the following way: 174 175 ``` 176 (pkg-name): (from -> to | init at version | refactor | etc) 177 178 (Motivation for change. Link to release notes. Additional information.) 179 ``` 180 181 Examples: 182 183 * nginx: init at 2.0.1 184 * firefox: 54.0.1 -> 55.0 185 186 https://www.mozilla.org/en-US/firefox/55.0/releasenotes/ 187 188(using "→" instead of "->" is also accepted) 189 190## Category Hierarchy 191[categories]: #category-hierarchy 192 193Most top-level packages are organised in a loosely-categorised directory hierarchy in this directory. 194See the [overview](#overview) for which directories are part of this. 195 196This category hierarchy is partially deprecated and will be migrated away over time. 197The new `pkgs/by-name` directory ([docs](./by-name/README.md)) should be preferred instead. 198The category hierarchy may still be used for packages that should be imported using an alternate `callPackage`, such as `python3Packages.callPackage` or `libsForQt5.callPackage`. 199 200If that is the case for a new package, here are some rules for picking the right category. 201Many packages fall under several categories; what matters is the _primary_ purpose of a package. 202For example, the `libxml2` package builds both a library and some tools; but it’s a library foremost, so it goes under `pkgs/development/libraries`. 203 204<details> 205<summary>Categories</summary> 206 207**If it’s used to support _software development_:** 208 209- **If it’s a _library_ used by other packages:** 210 211 - `development/libraries` (e.g. `libxml2`) 212 213- **If it’s a _compiler_:** 214 215 - `development/compilers` (e.g. `gcc`) 216 217- **If it’s an _interpreter_:** 218 219 - `development/interpreters` (e.g. `guile`) 220 221- **If it’s a (set of) development _tool(s)_:** 222 223 - **If it’s a _parser generator_ (including lexers):** 224 225 - `development/tools/parsing` (e.g. `bison`, `flex`) 226 227 - **If it’s a _build manager_:** 228 229 - `development/tools/build-managers` (e.g. `gnumake`) 230 231 - **If it’s a _language server_:** 232 233 - `development/tools/language-servers` (e.g. `ccls` or `nil`) 234 235 - **Else:** 236 237 - `development/tools/misc` (e.g. `binutils`) 238 239- **Else:** 240 241 - `development/misc` 242 243**If it’s a (set of) _tool(s)_:** 244 245(A tool is a relatively small program, especially one intended to be used non-interactively.) 246 247- **If it’s for _networking_:** 248 249 - `tools/networking` (e.g. `wget`) 250 251- **If it’s for _text processing_:** 252 253 - `tools/text` (e.g. `diffutils`) 254 255- **If it’s a _system utility_, i.e., something related or essential to the operation of a system:** 256 257 - `tools/system` (e.g. `cron`) 258 259- **If it’s an _archiver_ (which may include a compression function):** 260 261 - `tools/archivers` (e.g. `zip`, `tar`) 262 263- **If it’s a _compression_ program:** 264 265 - `tools/compression` (e.g. `gzip`, `bzip2`) 266 267- **If it’s a _security_-related program:** 268 269 - `tools/security` (e.g. `nmap`, `gnupg`) 270 271- **Else:** 272 273 - `tools/misc` 274 275**If it’s a _shell_:** 276 277- `shells` (e.g. `bash`) 278 279**If it’s a _server_:** 280 281- **If it’s a web server:** 282 283 - `servers/http` (e.g. `apache-httpd`) 284 285- **If it’s an implementation of the X Windowing System:** 286 287 - `servers/x11` (e.g. `xorg` — this includes the client libraries and programs) 288 289- **Else:** 290 291 - `servers/misc` 292 293**If it’s a _desktop environment_:** 294 295- `desktops` (e.g. `kde`, `gnome`, `enlightenment`) 296 297**If it’s a _window manager_:** 298 299- `applications/window-managers` (e.g. `awesome`, `stumpwm`) 300 301**If it’s an _application_:** 302 303A (typically large) program with a distinct user interface, primarily used interactively. 304 305- **If it’s a _version management system_:** 306 307 - `applications/version-management` (e.g. `subversion`) 308 309- **If it’s a _terminal emulator_:** 310 311 - `applications/terminal-emulators` (e.g. `alacritty` or `rxvt` or `termite`) 312 313- **If it’s a _file manager_:** 314 315 - `applications/file-managers` (e.g. `mc` or `ranger` or `pcmanfm`) 316 317- **If it’s for _video playback / editing_:** 318 319 - `applications/video` (e.g. `vlc`) 320 321- **If it’s for _graphics viewing / editing_:** 322 323 - `applications/graphics` (e.g. `gimp`) 324 325- **If it’s for _networking_:** 326 327 - **If it’s a _mailreader_:** 328 329 - `applications/networking/mailreaders` (e.g. `thunderbird`) 330 331 - **If it’s a _newsreader_:** 332 333 - `applications/networking/newsreaders` (e.g. `pan`) 334 335 - **If it’s a _web browser_:** 336 337 - `applications/networking/browsers` (e.g. `firefox`) 338 339 - **Else:** 340 341 - `applications/networking/misc` 342 343- **Else:** 344 345 - `applications/misc` 346 347**If it’s _data_ (i.e., does not have a straight-forward executable semantics):** 348 349- **If it’s a _font_:** 350 351 - `data/fonts` 352 353- **If it’s an _icon theme_:** 354 355 - `data/icons` 356 357- **If it’s related to _SGML/XML processing_:** 358 359 - **If it’s an _XML DTD_:** 360 361 - `data/sgml+xml/schemas/xml-dtd` (e.g. `docbook`) 362 363 - **If it’s an _XSLT stylesheet_:** 364 365 (Okay, these are executable...) 366 367 - `data/sgml+xml/stylesheets/xslt` (e.g. `docbook-xsl`) 368 369- **If it’s a _theme_ for a _desktop environment_, a _window manager_ or a _display manager_:** 370 371 - `data/themes` 372 373**If it’s a _game_:** 374 375- `games` 376 377**Else:** 378 379- `misc` 380 381</details> 382 383# Conventions 384 385The key words _must_, _must not_, _required_, _shall_, _shall not_, _should_, _should not_, _recommended_, _may_, and _optional_ in this section are to be interpreted as described in [RFC 2119](https://tools.ietf.org/html/rfc2119). 386Only _emphasized_ words are to be interpreted in this way. 387 388## Package naming 389 390In Nixpkgs, there are generally three different names associated with a package: 391 392- The `pname` attribute of the derivation. 393 This is what most users see, in particular when using `nix-env`. 394 395- The attribute name used for the package in the [`pkgs/by-name` structure](./by-name/README.md) or in [`all-packages.nix`](./top-level/all-packages.nix), and when passing it as a dependency in recipes. 396 397- The filename for (the directory containing) the Nix expression. 398 399Most of the time, these are the same. 400For instance, the package `e2fsprogs` has a `pname` attribute `"e2fsprogs"`, is bound to the attribute name `e2fsprogs` in `all-packages.nix`, and the Nix expression is in `pkgs/os-specific/linux/e2fsprogs/default.nix`. 401 402Follow these guidelines: 403 404- For the `pname` attribute: 405 406 - It _should_ be identical to the upstream package name. 407 408 - It _must not_ contain uppercase letters. 409 410 Example: Use `"mplayer"` instead of `"MPlayer"` 411 412- For the package attribute name: 413 414 - It _must_ be a valid identifier in Nix. 415 416 - If the `pname` starts with a digit, the attribute name _should_ be prefixed with an underscore. 417 Otherwise the attribute name _should not_ be prefixed with an underline. 418 419 Example: The corresponding attribute name for `0ad` should be `_0ad`. 420 421 - New attribute names _should_ be the same as the value in `pname`. 422 423 Hyphenated names _should not_ be converted to [snake case](https://en.wikipedia.org/wiki/Snake_case) or [camel case](https://en.wikipedia.org/wiki/Camel_case). 424 This was done historically, but is not necessary any more. 425 [The Nix language allows dashes in identifiers since 2012](https://github.com/NixOS/nix/commit/95c74eae269b2b9e4bc514581b5caa1d80b54acc). 426 427 - If there are multiple versions of a package, this _should_ be reflected in the attribute names in `all-packages.nix`. 428 429 Example: `json-c_0_9` and `json-c_0_11` 430 431 If there is an obvious “default” version, make an extra attribute. 432 433 Example: `json-c = json-c_0_9;` 434 435 See also [versioning][versioning]. 436 437## Versioning 438[versioning]: #versioning 439 440These are the guidelines the `version` attribute of a package: 441 442- It _must_ start with a digit. 443 This is required for backwards-compatibility with [how `nix-env` parses derivation names](https://nix.dev/manual/nix/latest/command-ref/nix-env#selectors). 444 445 Example: `"0.3.1rc2"` or `"0-unstable-1970-01-01"` 446 447- If a package is a commit from a repository without a version assigned, then the `version` attribute _should_ be the latest upstream version preceding that commit, followed by `-unstable-` and the date of the (fetched) commit. 448 The date _must_ be in `"YYYY-MM-DD"` format. 449 450 Example: Given a project had its latest releases `2.2` in November 2021 and `3.0` in January 2022, a commit authored on March 15, 2022 for an upcoming bugfix release `2.2.1` would have `version = "2.2-unstable-2022-03-15"`. 451 452- If a project has no suitable preceding releases - e.g., no versions at all, or an incompatible versioning or tagging scheme - then the latest upstream version in the above schema should be `0`. 453 454 Example: Given a project that has no tags or released versions at all, or applies versionless tags like `latest` or `YYYY-MM-DD-Build`, a commit authored on March 15, 2022 would have `version = "0-unstable-2022-03-15"`. 455 456Because every version of a package in Nixpkgs creates a potential maintenance burden, old versions of a package should not be kept unless there is a good reason to do so. 457For instance, Nixpkgs contains several versions of GCC because other packages don’t build with the latest version of GCC. 458Other examples are having both the latest stable and latest pre-release version of a package, or to keep several major releases of an application that differ significantly in functionality. 459 460If there is only one version of a package, its Nix expression should be named (e.g) `pkgs/by-name/xy/xyz/package.nix`. 461If there are multiple versions, this should be reflected in the attribute name. 462If you wish to share code between the Nix expressions of each version, you cannot rely upon `pkgs/by-name`'s automatic attribute creation, and must create the attributes yourself in `all-packages.nix`. 463See also [`pkgs/by-name/README.md`'s section on this topic](https://github.com/NixOS/nixpkgs/blob/master/pkgs/by-name/README.md#recommendation-for-new-packages-with-multiple-versions). 464 465## Meta attributes 466 467The `meta` attribute set should always be placed last in the derivativion and any other "meta"-like attribute sets like `passthru` should be written before it. 468 469* `meta.description` must: 470 * Be short, just one sentence. 471 * Be capitalized. 472 * Not start with the definite or an indefinite article. 473 * Not start with the package name. 474 * More generally, it should not refer to the package name. 475 * Not end with a period (or any punctuation for that matter). 476 * Provide factual information. 477 * Avoid subjective language. 478* `meta.license` must be set and match the upstream license. 479 * If there is no upstream license, `meta.license` should default to `lib.licenses.unfree`. 480 * If in doubt, try to contact the upstream developers for clarification. 481* `meta.mainProgram` must be set to the name of the executable which facilitates the primary function or purpose of the package, if there is such an executable in `$bin/bin/` (or `$out/bin/`, if there is no `"bin"` output). 482 * Packages that only have a single executable in the applicable directory above should set `meta.mainProgram`. 483 For example, the package `ripgrep` only has a single executable `rg` under `$out/bin/`, so `ripgrep.meta.mainProgram` is set to `"rg"`. 484 * Packages like `polkit_gnome` that have no executables in the applicable directory should not set `meta.mainProgram`. 485 * Packages like `e2fsprogs` that have multiple executables, none of which can be considered the main program, should not set `meta.mainProgram`. 486 * Packages which are not primarily used for a single executable do not need to set `meta.mainProgram`. 487 * Always prefer using a hardcoded string (don't use `pname`, for example). 488 * When in doubt, ask for reviewer input. 489* `meta.maintainers` must be set for new packages. 490 491See the Nixpkgs manual for more details on [standard meta-attributes](https://nixos.org/nixpkgs/manual/#sec-standard-meta-attributes). 492 493## Import From Derivation 494 495[Import From Derivation](https://nixos.org/manual/nix/unstable/language/import-from-derivation) (IFD) is disallowed in Nixpkgs for performance reasons: 496[Hydra](https://github.com/NixOS/hydra) evaluates the entire package set, and sequential builds during evaluation would increase evaluation times to become impractical. 497 498Import From Derivation can be worked around in some cases by committing generated intermediate files to version control and reading those instead. 499 500## Sources 501 502Always fetch source files using [Nixpkgs fetchers](https://nixos.org/manual/nixpkgs/unstable/#chap-pkgs-fetchers). 503Use reproducible sources with a high degree of availability. 504Prefer protocols that support proxies. 505 506A list of schemes for `mirror://` URLs can be found in [`pkgs/build-support/fetchurl/mirrors.nix`](build-support/fetchurl/mirrors.nix), and is supported by [`fetchurl`](https://nixos.org/manual/nixpkgs/unstable/#fetchurl). 507Other fetchers which end up relying on `fetchurl` may also support mirroring. 508 509The preferred source hash type is `sha256`. 510 511Examples going from bad to best practices: 512 513- Bad: Uses `git://` which won't be proxied. 514 515 ```nix 516 { 517 src = fetchgit { 518 url = "git://github.com/NixOS/nix.git"; 519 rev = "1f795f9f44607cc5bec70d1300150bfefcef2aae"; 520 hash = "sha256-7D4m+saJjbSFP5hOwpQq2FGR2rr+psQMTcyb1ZvtXsQ="; 521 }; 522 } 523 ``` 524 525- Better: This is ok, but an archive fetch will still be faster. 526 527 ```nix 528 { 529 src = fetchgit { 530 url = "https://github.com/NixOS/nix.git"; 531 rev = "1f795f9f44607cc5bec70d1300150bfefcef2aae"; 532 hash = "sha256-7D4m+saJjbSFP5hOwpQq2FGR2rr+psQMTcyb1ZvtXsQ="; 533 }; 534 } 535 ``` 536 537- Best: Fetches a snapshot archive for the given revision. 538 539 ```nix 540 { 541 src = fetchFromGitHub { 542 owner = "NixOS"; 543 repo = "nix"; 544 rev = "1f795f9f44607cc5bec70d1300150bfefcef2aae"; 545 hash = "sha256-7D4m+saJjbSFP5hOwpQq2FGR2rr+psQMTcyb1ZvtXsQ="; 546 }; 547 } 548 ``` 549 550> [!Note] 551> When fetching from GitHub, always reference revisions by their full commit hash. 552> GitHub shares commit hashes among all forks and returns `404 Not Found` when a short commit hash is ambiguous. 553> It already happened in Nixpkgs for short, 6-character commit hashes. 554> 555> Pushing large amounts of auto generated commits into forks is a practical vector for a denial-of-service attack, and was already [demonstrated against GitHub Actions Beta](https://blog.teddykatz.com/2019/11/12/github-actions-dos.html). 556 557## Patches 558 559Sometimes, changes are needed to the source to allow building a derivation in nixpkgs, or to get earlier access to an upstream fix or improvement. 560When using the `patches` parameter to `mkDerivation`, make sure the patch name clearly describes the reason for the patch, or add a comment. 561 562> [!Note] 563> The version of the package does not need to be changed just because a patch is applied. 564> Declarative package installations don't depend on the version, while imperative `nix-env` installations can use [`upgrade --eq/leq/--always`](https://nix.dev/manual/nix/2.25/command-ref/nix-env/upgrade#flags). 565> 566> See [Versioning](#versioning) for details on package versioning. 567 568The following describes two ways to include the patch. 569Regardless of how the patch is included, you _must_ ensure its purpose is clear and obvious. 570This enables other maintainers to more easily determine when old patches are no longer required. 571Typically, you can improve clarity with carefully considered filenames, attribute names, and/or comments; these should explain the patch's _intention_. 572Additionally, it may sometimes be helpful to clarify _how_ it resolves the issue. 573For example: _"fix gcc14 build by adding missing include"_. 574 575### Fetching patches 576 577In the interest of keeping our maintenance burden and the size of Nixpkgs to a minimum, patches already merged upstream or published elsewhere _should_ be retrieved using `fetchpatch2`: 578 579```nix 580{ 581 patches = [ 582 (fetchpatch2 { 583 name = "make-no-atomics-a-soft-failure.patch"; 584 url = "https://github.com/boostorg/math/commit/7d482f6ebc356e6ec455ccb5f51a23971bf6ce5b.patch?full_index=1"; 585 hash = "sha256-9Goa0NTUdSOs1Vm+FnkoSFhw0o8ZLNOw6cLUqCVnF5Y="; 586 }) 587 ]; 588} 589``` 590 591> [!Warning] 592> If the patch file contains short commit hashes, use `fetchpatch` instead of `fetchpatch2` ([tracking issue](https://github.com/NixOS/nixpkgs/issues/257446)). 593> This is the case if the patch contains a line similar to `index 0c97fcc35..f533e464a 100644`. 594> Depending on the patch source it is possible to expand the commit hash, in which case using `fetchpatch2` is acceptable (e.g. GitHub supports appending `?full_index=1` to the URL, as seen above). 595 596If a patch is available online but does not cleanly apply, it can be modified in some fixed ways by using additional optional arguments for `fetchpatch2`. 597Check [the `fetchpatch` reference](https://nixos.org/manual/nixpkgs/unstable/#fetchpatch) for details. 598 599When adding patches in this manner you should be reasonably sure that the used URL is stable. 600Patches referencing open pull requests will change when the PR is updated and code forges (such as GitHub) usually garbage collect commits that are no longer reachable due to rebases/amends. 601 602### Vendoring patches 603 604In the following cases, a `.patch` file _should_ be added to Nixpkgs repository, instead of retrieved: 605 606- solves problems unique to packaging in Nixpkgs 607- cannot be fetched easily 608- has a high chance to disappear in the future due to unstable or unreliable URLs 609 610The latter avoids link rot when the upstream abandons, squashes or rebases their change, in which case the commit may get garbage-collected. 611 612```nix 613{ patches = [ ./0001-add-missing-include.patch ]; } 614``` 615 616If you do need to do create this sort of patch file, one way to do so is with git: 617 6181. Move to the root directory of the source code you're patching. 619 620 ```ShellSession 621 $ cd the/program/source 622 ``` 623 6242. If a git repository is not already present, create one and stage all of the source files. 625 626 ```ShellSession 627 $ git init 628 $ git add -A 629 ``` 630 6313. Edit some files to make whatever changes need to be included in the patch. 632 6334. Use git to create a diff, and pipe the output to a patch file: 634 635 ```ShellSession 636 $ git diff -a > nixpkgs/pkgs/the/package/0001-changes.patch 637 ``` 638 639## Deprecating/removing packages 640 641There is currently no policy when to remove a package. 642 643Before removing a package, one should try to find a new maintainer or fix smaller issues first. 644 645### Steps to remove a package from Nixpkgs 646 647We use jbidwatcher as an example for a discontinued project here. 648 6491. Have Nixpkgs checked out locally and up to date. 6501. Create a new branch for your change, e.g. `git checkout -b jbidwatcher` 6511. Remove the actual package including its directory, e.g. `git rm -rf pkgs/applications/misc/jbidwatcher` 6521. Remove the package from the list of all packages (`pkgs/top-level/all-packages.nix`). 6531. Add an alias for the package name in `pkgs/top-level/aliases.nix` (There is also `pkgs/applications/editors/vim/plugins/aliases.nix`. 654 Package sets typically do not have aliases, so we can't add them there.) 655 656 For example in this case: 657 658 ```nix 659 { 660 jbidwatcher = throw "jbidwatcher was discontinued in march 2021"; # added 2021-03-15 661 } 662 ``` 663 664 The throw message should explain in short why the package was removed for users that still have it installed. 665 6661. Test if the changes introduced any issues by running `nix-env -qaP -f . --show-trace`. 667 It should show the list of packages without errors. 6681. Commit the changes. 669 Explain again why the package was removed. 670 If it was declared discontinued upstream, add a link to the source. 671 672 ```ShellSession 673 $ git add pkgs/applications/misc/jbidwatcher/default.nix pkgs/top-level/all-packages.nix pkgs/top-level/aliases.nix 674 $ git commit 675 ``` 676 677 Example commit message: 678 679 ``` 680 jbidwatcher: remove 681 682 project was discontinued in march 2021. the program does not work anymore because ebay changed the login. 683 684 https://web.archive.org/web/20210315205723/http://www.jbidwatcher.com/ 685 ``` 686 6871. Push changes to your GitHub fork with `git push` 6881. Create a pull request against Nixpkgs. 689 Mention the package maintainer. 690 691This is how the pull request looks like in this case: [https://github.com/NixOS/nixpkgs/pull/116470](https://github.com/NixOS/nixpkgs/pull/116470) 692 693## Package tests 694 695To run the main types of tests locally: 696 697- Run package-internal tests with `nix-build --attr pkgs.PACKAGE.passthru.tests` 698- Run [NixOS tests](https://nixos.org/manual/nixos/unstable/#sec-nixos-tests) with `nix-build --attr nixosTests.NAME`, where `NAME` is the name of the test listed in `nixos/tests/all-tests.nix` 699- Run [global package tests](https://nixos.org/manual/nixpkgs/unstable/#sec-package-tests) with `nix-build --attr tests.PACKAGE`, where `PACKAGE` is the name of the test listed in `pkgs/test/default.nix` 700- See `lib/tests/NAME.nix` for instructions on running specific library tests 701 702Tests are important to ensure quality and make reviews and automatic updates easy. 703 704The following types of tests exists: 705 706* [NixOS **module tests**](https://nixos.org/manual/nixos/stable/#sec-nixos-tests), which spawn one or more NixOS VMs. 707 They exercise both NixOS modules and the packaged programs used within them. 708 For example, a NixOS module test can start a web server VM running the `nginx` module, and a client VM running `curl` or a graphical `firefox`, and test that they can talk to each other and display the correct content. 709* Nix **package tests** are a lightweight alternative to NixOS module tests. 710 They should be used to create simple integration tests for packages, but cannot test NixOS services, and some programs with graphical user interfaces may also be difficult to test with them. 711* The **`checkPhase` of a package**, which should execute the unit tests that are included in the source code of a package. 712 713Here in the nixpkgs manual we describe mostly _package tests_; for _module tests_ head over to the corresponding [section in the NixOS manual](https://nixos.org/manual/nixos/stable/#sec-nixos-tests). 714 715### Writing inline package tests 716 717For very simple tests, they can be written inline: 718 719```nix 720# ... , 721{ yq-go }: 722 723buildGoModule rec { 724 # … 725 726 passthru.tests = { 727 simple = runCommand "${pname}-test" { } '' 728 echo "test: 1" | ${yq-go}/bin/yq eval -j > $out 729 [ "$(cat $out | tr -d $'\n ')" = '{"test":1}' ] 730 ''; 731 }; 732} 733``` 734 735Any derivation can be specified as a test, even if it's in a different file. 736Such a derivation that implements a test can depend on the package under test, even in the presence of `overrideAttrs`. 737 738In the following example, `(my-package.overrideAttrs f).passthru.tests` will work as expected, as long as the definition of `tests` does not rely on the original `my-package` or overrides all occurrences of `my-package`: 739 740```nix 741# my-package/default.nix 742{ stdenv, callPackage }: 743stdenv.mkDerivation (finalAttrs: { 744 # ... 745 passthru.tests.example = callPackage ./example.nix { my-package = finalAttrs.finalPackage; }; 746}) 747``` 748 749```nix 750# my-package/example.nix 751{ 752 runCommand, 753 lib, 754 my-package, 755 ... 756}: 757runCommand "my-package-test" 758 { 759 nativeBuildInputs = [ my-package ]; 760 src = lib.sources.sourcesByRegex ./. [ 761 ".*.in" 762 ".*.expected" 763 ]; 764 } 765 '' 766 my-package --help 767 my-package <example.in >example.actual 768 diff -U3 --color=auto example.expected example.actual 769 mkdir $out 770 '' 771``` 772 773### Writing larger package tests 774[larger-package-tests]: #writing-larger-package-tests 775 776This is an example using the `phoronix-test-suite` package with the current best practices. 777 778Add the tests in `passthru.tests` to the package definition like this: 779 780```nix 781{ 782 stdenv, 783 lib, 784 fetchurl, 785 callPackage, 786}: 787 788stdenv.mkDerivation { 789 # … 790 791 passthru.tests = { 792 simple-execution = callPackage ./tests.nix { }; 793 }; 794 795 meta = { 796 # … 797 }; 798} 799``` 800 801Create `tests.nix` in the package directory: 802 803```nix 804{ runCommand, phoronix-test-suite }: 805 806let 807 inherit (phoronix-test-suite) pname version; 808 809in 810runCommand "${pname}-tests" { meta.timeout = 60; } '' 811 # automatic initial setup to prevent interactive questions 812 ${phoronix-test-suite}/bin/phoronix-test-suite enterprise-setup >/dev/null 813 # get version of installed program and compare with package version 814 if [[ `${phoronix-test-suite}/bin/phoronix-test-suite version` != *"${version}"* ]]; then 815 echo "Error: program version does not match package version" 816 exit 1 817 fi 818 # run dummy command 819 ${phoronix-test-suite}/bin/phoronix-test-suite dummy_module.dummy-command >/dev/null 820 # needed for Nix to register the command as successful 821 touch $out 822'' 823``` 824 825### Running package tests 826 827You can run these tests with: 828 829```ShellSession 830$ cd path/to/nixpkgs 831$ nix-build -A phoronix-test-suite.tests 832``` 833 834### Examples of package tests 835 836Here are examples of package tests: 837 838- [Jasmin compile test](by-name/ja/jasmin/test-assemble-hello-world/default.nix) 839- [Lobster compile test](development/compilers/lobster/test-can-run-hello-world.nix) 840- [Spacy annotation test](development/python-modules/spacy/annotation-test/default.nix) 841- [Libtorch test](development/libraries/science/math/libtorch/test/default.nix) 842- [Multiple tests for nanopb](./by-name/na/nanopb/package.nix) 843 844### Linking NixOS module tests to a package 845 846Like [package tests][larger-package-tests] as shown above, [NixOS module tests](https://nixos.org/manual/nixos/stable/#sec-nixos-tests) can also be linked to a package, so that the tests can be easily run when changing the related package. 847 848For example, assuming we're packaging `nginx`, we can link its module test via `passthru.tests`: 849 850```nix 851{ 852 stdenv, 853 lib, 854 nixosTests, 855}: 856 857stdenv.mkDerivation { 858 # ... 859 860 passthru.tests = { 861 nginx = nixosTests.nginx; 862 }; 863 864 # ... 865} 866``` 867 868## Automatic package updates 869[automatic-package-updates]: #automatic-package-updates 870 871Nixpkgs periodically tries to update all packages that have a `passthru.updateScript` attribute. 872 873> [!Note] 874> A common pattern is to use the [`nix-update-script`](../pkgs/by-name/ni/nix-update/nix-update-script.nix) attribute provided in Nixpkgs, which runs [`nix-update`](https://github.com/Mic92/nix-update): 875> 876> ```nix 877> { stdenv, nix-update-script }: 878> stdenv.mkDerivation { 879> # ... 880> passthru.updateScript = nix-update-script { }; 881> } 882> ``` 883> 884> For simple packages, this is often enough, and will ensure that the package is updated automatically by [`nixpkgs-update`](https://github.com/nix-community/nixpkgs-update) when a new version is released. 885> The [update bot](https://nix-community.org/update-bot) runs periodically to attempt to automatically update packages, and will run `passthru.updateScript` if set. 886> While not strictly necessary if the project is listed on [Repology](https://repology.org), using `nix-update-script` allows the package to update via many more sources (e.g. GitHub releases). 887 888The `passthru.updateScript` attribute can contain one of the following: 889 890- an executable file, either on the file system: 891 892 ```nix 893 { stdenv }: 894 stdenv.mkDerivation { 895 # ... 896 passthru.updateScript = ./update.sh; 897 } 898 ``` 899 900 or inside the expression itself: 901 902 ```nix 903 { stdenv, writeScript }: 904 stdenv.mkDerivation { 905 # ... 906 passthru.updateScript = writeScript "update-zoom-us" '' 907 #!/usr/bin/env nix-shell 908 #!nix-shell -i bash -p curl pcre2 common-updater-scripts 909 910 set -eu -o pipefail 911 912 version="$(curl -sI https://zoom.us/client/latest/zoom_x86_64.tar.xz | grep -Fi 'Location:' | pcre2grep -o1 '/(([0-9]\.?)+)/')" 913 update-source-version zoom-us "$version" 914 ''; 915 } 916 ``` 917 918- a list, a script file followed by arguments to be passed to it: 919 920 ```nix 921 { stdenv }: 922 stdenv.mkDerivation { 923 # ... 924 passthru.updateScript = [ 925 ../../update.sh 926 pname 927 "--requested-release=unstable" 928 ]; 929 } 930 ``` 931 932- an attribute set containing: 933 - `command` 934 935 A string or list in the [format expected by `passthru.updateScript`][automatic-package-updates] 936 937 - `attrPath` (optional) 938 939 A string containing the canonical attribute path for the package. 940 941 If present, it will be passed to the update script instead of the attribute path on which the package was discovered during Nixpkgs traversal. 942 943 - `supportedFeatures` (optional) 944 945 A list of the [extra features the script supports][supported-features]. 946 947 ```nix 948 { stdenv }: 949 stdenv.mkDerivation rec { 950 pname = "my-package"; 951 # ... 952 passthru.updateScript = { 953 command = [ 954 ../../update.sh 955 pname 956 ]; 957 attrPath = pname; 958 supportedFeatures = [ 959 # ... 960 ]; 961 }; 962 } 963 ``` 964 965### How are update scripts executed? 966 967Update scripts are to be invoked by the [automatic package update script](../maintainers/scripts/update.nix). 968You can run `nix-shell maintainers/scripts/update.nix` in the root of Nixpkgs repository for information on how to use it. 969`update.nix` offers several modes for selecting packages to update, and it will execute update scripts for all matched packages that have an `updateScript` attribute. 970 971Update scripts will be run inside the [Nixpkgs development shell](../shell.nix), providing access to some useful tools for CI. 972Furthermore each update script will be passed the following environment variables: 973 974- [`UPDATE_NIX_NAME`] – content of the `name` attribute of the updated package 975- [`UPDATE_NIX_PNAME`] – content of the `pname` attribute of the updated package 976- [`UPDATE_NIX_OLD_VERSION`] – content of the `version` attribute of the updated package 977- [`UPDATE_NIX_ATTR_PATH`] – attribute path the `update.nix` discovered the package on (or the package's specified `attrPath` when available). 978 Example: `pantheon.elementary-terminal` 979 980> [!Note] 981> An update script will be usually run from the root of the Nixpkgs repository, but you should not rely on that. 982> Also note that `update.nix` executes update scripts in parallel by default, so you should avoid running `git commit` or any other commands that cannot handle that. 983 984While update scripts should not create commits themselves, `update.nix` supports automatically creating commits when running it with `--argstr commit true`. 985If you need to customize commit message, you can have the update script implement the `commit` feature. 986 987### Supported features 988[update-script-supported-features]: #supported-features 989 990- `commit` 991 992 This feature allows update scripts to *ask* `update.nix` to create Git commits. 993 994 When support of this feature is declared, whenever the update script exits with `0` return status, it is expected to print a JSON list containing an object described below for each updated attribute to standard output. 995 Example: 996 997 ```json 998 [ 999 { 1000 "attrPath": "volume_key", 1001 "oldVersion": "0.3.11", 1002 "newVersion": "0.3.12", 1003 "files": [ 1004 "/path/to/nixpkgs/pkgs/development/libraries/volume-key/default.nix" 1005 ] 1006 } 1007 ] 1008 ``` 1009 ::: 1010 1011 When `update.nix` is run with `--argstr commit true`, it will create a separate commit for each of the objects. 1012 An empty list can be returned when the script did not update any files; for example, when the package is already at the latest version. 1013 1014 The commit object contains the following values: 1015 1016 - `attrPath` – a string containing the attribute path 1017 - `oldVersion` – a string containing the old version 1018 - `newVersion` – a string containing the new version 1019 - `files` – a non-empty list of file paths (as strings) to add to the commit 1020 - `commitBody` (optional) – a string with extra content to be appended to the default commit message (useful for adding changelog links) 1021 - `commitMessage` (optional) – a string to use instead of the default commit message 1022 1023 If the returned list contains exactly one object (e.g. `[{}]`), all values are optional and will be determined automatically. 1024 1025## Reviewing contributions 1026 1027### Package updates 1028 1029A package update is the most trivial and common type of pull request. 1030These pull requests mainly consist of updating the version part of the package name and the source hash. 1031 1032It can happen that non-trivial updates include patches or more complex changes. 1033 1034Reviewing process: 1035 1036- Ensure that the package versioning [fits the guidelines](#versioning). 1037- Ensure that the commit text [fits the guidelines](../CONTRIBUTING.md#commit-conventions). 1038- Ensure that the package maintainers are notified. 1039 - The continuous integration system will make GitHub notify users based on the submitted changes, but it can happen that it misses some of the package maintainers. 1040- Ensure that the meta field information [fits the guidelines](#meta-attributes) and is correct: 1041 - License can change with version updates, so it should be checked to match the upstream license. 1042 - If the package has no maintainer, a maintainer must be set. 1043 This can be the update submitter or a community member that accepts to take maintainership of the package. 1044- Verify any change of upstream. 1045 - If switching from e.g. PyPi to GitHub, verify that the repo is the official one. 1046 - If switching to a fork, check with external sources like other package repositories for community consensus. 1047- Ensure any special packaging choices and required context are documented in i.e. the name of a patch or in a comment. 1048 - If a special version of a package is pinned, document why, so others know if/when it can be unpinned. 1049 - If any (especially opinionated) patch or `substituteInPlace` is applied, document why. 1050 - If any non-default build flags are set, document why. 1051 - If checks are partially or fully disabled, document why. 1052- Ensure that the code contains no typos. 1053- Build the package locally. 1054 - Pull requests are often targeted to the master or staging branch, and building the pull request locally when it is submitted can trigger many source builds. 1055 - It is possible to rebase the changes on nixos-unstable or nixpkgs-unstable for easier review by running the following commands from a nixpkgs clone. 1056 1057 ```ShellSession 1058 $ git fetch origin nixos-unstable 1059 $ git fetch origin pull/PRNUMBER/head 1060 $ git rebase --onto nixos-unstable BASEBRANCH FETCH_HEAD 1061 ``` 1062 1063 - The first command fetches the nixos-unstable branch. 1064 - The second command fetches the pull request changes, `PRNUMBER` is the number at the end of the pull request title and `BASEBRANCH` the base branch of the pull request. 1065 - The third command rebases the pull request changes to the nixos-unstable branch. 1066 - The [nixpkgs-review](https://github.com/Mic92/nixpkgs-review) tool can be used to review a pull request content in a single command. 1067 `PRNUMBER` should be replaced by the number at the end of the pull request title. 1068 You can also provide the full github pull request url. 1069 1070 ```ShellSession 1071 $ nix-shell -p nixpkgs-review --run "nixpkgs-review pr PRNUMBER" 1072 ``` 1073- Run every binary. 1074 1075Sample template for a package update review is provided below. 1076 1077```markdown 1078##### Reviewed points 1079 1080- [ ] package name fits guidelines 1081- [ ] package version fits guidelines 1082- [ ] package builds on ARCHITECTURE 1083- [ ] executables tested on ARCHITECTURE 1084- [ ] any change of upstream are verified 1085- [ ] the motives for any special packaging choices are documented 1086- [ ] all depending packages build 1087- [ ] patches have a comment describing either the upstream URL or a reason why the patch wasn't upstreamed 1088- [ ] patches that are remotely available are fetched rather than vendored 1089 1090##### Possible improvements 1091 1092##### Comments 1093``` 1094 1095### New packages 1096 1097New packages are a common type of pull requests. 1098These pull requests consists in adding a new nix-expression for a package. 1099 1100Review process: 1101 1102- Ensure that all file paths [fit the guidelines](../CONTRIBUTING.md#file-naming-and-organisation). 1103- Ensure that the package name and version [fits the guidelines](#package-naming). 1104- Ensure that the package versioning [fits the guidelines](#versioning). 1105- Ensure that the commit text [fits the guidelines](../CONTRIBUTING.md#commit-conventions). 1106- Ensure that the source is fetched from an official location, one of our [trusted mirrors](./build-support/fetchurl/mirrors.nix), or a mirror trusted by the authors. 1107- Ensure that the meta fields [fits the guidelines](#meta-attributes) and contain the correct information: 1108 - License must match the upstream license. 1109 - Platforms should be set (or the package will not get binary substitutes). 1110 - Maintainers must be set. 1111 This can be the package submitter or a community member that accepts taking up maintainership of the package. 1112 - The `meta.mainProgram` must be set if a main executable exists. 1113- Ensure any special packaging choices and required context are documented in i.e. the name of a patch or in a comment. 1114 - If a special version of a package is pinned, document why, so others know if/when it can be unpinned. 1115 - If any (especially opinionated) patch or `substituteInPlace` is applied, document why. 1116 - If any non-default build flags are set, document why. 1117 - If checks are partially or fully disabled, document why. 1118- Report detected typos. 1119- Ensure the package source: 1120 - Uses `mirror://` URLs when available. 1121 - Uses the most appropriate functions (e.g. packages from GitHub should use `fetchFromGitHub`). 1122- Build the package locally. 1123- Run every binary. 1124 1125Sample template for a new package review is provided below. 1126 1127```markdown 1128##### Reviewed points 1129 1130- [ ] package path fits guidelines 1131- [ ] package name fits guidelines 1132- [ ] package version fits guidelines 1133- [ ] package builds on ARCHITECTURE 1134- [ ] executables tested on ARCHITECTURE 1135- [ ] `meta.description` is set and fits guidelines 1136- [ ] `meta.license` fits upstream license 1137- [ ] `meta.platforms` is set 1138- [ ] `meta.maintainers` is set 1139- [ ] `meta.mainProgram` is set, if applicable. 1140- [ ] build time only dependencies are declared in `nativeBuildInputs` 1141- [ ] source is fetched from an official or trusted location 1142- [ ] source is fetched using the appropriate function 1143- [ ] the motives for any special packaging choices are documented 1144- [ ] the list of `phases` is not overridden 1145- [ ] when a phase (like `installPhase`) is overridden it starts with `runHook preInstall` and ends with `runHook postInstall`. 1146- [ ] patches have a comment describing either the upstream URL or a reason why the patch wasn't upstreamed 1147- [ ] patches that are remotely available are fetched rather than vendored 1148 1149##### Possible improvements 1150 1151##### Comments 1152``` 1153 1154## Security 1155 1156### Submitting security fixes 1157[security-fixes]: #submitting-security-fixes 1158 1159Security fixes are submitted in the same way as other changes and thus the same guidelines apply. 1160 1161- If a new version fixing the vulnerability has been released, update the package; 1162- If the security fix comes in the form of a patch and a CVE is available, then add the patch to the Nixpkgs tree, and apply it to the package. 1163 The name of the patch should be the CVE identifier, so e.g. `CVE-2019-13636.patch`; If a patch is fetched the name needs to be set as well, e.g.: 1164 1165 ```nix 1166 (fetchpatch { 1167 name = "CVE-2019-11068.patch"; 1168 url = "https://gitlab.gnome.org/GNOME/libxslt/commit/e03553605b45c88f0b4b2980adfbbb8f6fca2fd6.patch"; 1169 hash = "sha256-SEKe/8HcW0UBHCfPTTOnpRlzmV2nQPPeL6HOMxBZd14="; 1170 }) 1171 ``` 1172 1173If a security fix applies to both master and a stable release then, similar to regular changes, they are preferably delivered via master first and cherry-picked to the release branch. 1174 1175Critical security fixes may by-pass the staging branches and be delivered directly to release branches such as `master` and `release-*`. 1176 1177### Vulnerability Roundup 1178 1179#### Issues 1180 1181Vulnerable packages in Nixpkgs are managed using issues. 1182Currently opened ones can be found using the following: 1183 1184[github.com/NixOS/nixpkgs/issues?q=is:issue+is:open+"Vulnerability+roundup"](https://github.com/NixOS/nixpkgs/issues?q=is%3Aissue+is%3Aopen+%22Vulnerability+roundup%22) 1185 1186Each issue correspond to a vulnerable version of a package; As a consequence: 1187 1188- One issue can contain several CVEs; 1189- One CVE can be shared across several issues; 1190- A single package can be concerned by several issues. 1191 1192 1193A "Vulnerability roundup" issue usually respects the following format: 1194 1195```txt 1196<link to relevant package search on search.nix.gsc.io>, <link to relevant files in Nixpkgs on GitHub> 1197 1198<list of related CVEs, their CVSS score, and the impacted NixOS version> 1199 1200<list of the scanned Nixpkgs versions> 1201 1202<list of relevant contributors> 1203``` 1204 1205Note that there can be an extra comment containing links to previously reported (and still open) issues for the same package. 1206 1207 1208#### Triaging and Fixing 1209 1210**Note**: An issue can be a "false positive" (i.e. automatically opened, but without the package it refers to being actually vulnerable). 1211If you find such a "false positive", comment on the issue an explanation of why it falls into this category, linking as much information as the necessary to help maintainers double check. 1212 1213If you are investigating a "true positive": 1214 1215- Find the earliest patched version or a code patch in the CVE details; 1216- Is the issue already patched (version up-to-date or patch applied manually) in Nixpkgs's `master` branch? 1217 - **No**: 1218 - [Submit a security fix][security-fixes]; 1219 - Once the fix is merged into `master`, [submit the change to the vulnerable release branch(es)](../CONTRIBUTING.md#how-to-backport-pull-requests); 1220 - **Yes**: [Backport the change to the vulnerable release branch(es)](../CONTRIBUTING.md#how-to-backport-pull-requests). 1221- When the patch has made it into all the relevant branches (`master`, and the vulnerable releases), close the relevant issue(s).