tjh.dev / nixpkgs
nixpkgs mirror (for testing) github.com/NixOS/nixpkgs
nix
fork atom
nixpkgs / pkgs / README.md
at haskell-updates 1259 lines 57 kB view raw view rendered
1# Contributing to Nixpkgs packages 2 3This document is for people wanting to contribute specifically to the package collection in Nixpkgs. 4See the [CONTRIBUTING.md](../CONTRIBUTING.md) document for more general information. 5 6## Overview 7 8- [`top-level`](./top-level): Entrypoints, package set aggregations 9 - [`impure.nix`](./top-level/impure.nix), [`default.nix`](./top-level/default.nix), [`config.nix`](./top-level/config.nix): Definitions for the evaluation entry point of `import <nixpkgs>` 10 - [`stage.nix`](./top-level/stage.nix), [`all-packages.nix`](./top-level/all-packages.nix), [`by-name-overlay.nix`](./top-level/by-name-overlay.nix), [`splice.nix`](./top-level/splice.nix): Definitions for the top-level attribute set made available through `import <nixpkgs> {…}` 11 - `*-packages.nix`, [`linux-kernels.nix`](./top-level/linux-kernels.nix), [`unixtools.nix`](./top-level/unixtools.nix): Aggregations of nested package sets defined in `development` 12 - [`aliases.nix`](./top-level/aliases.nix), [`python-aliases.nix`](./top-level/python-aliases.nix): Aliases for package definitions that have been renamed or removed 13 - `release*.nix`, [`make-tarball.nix`](./top-level/make-tarball.nix), [`packages-config.nix`](./top-level/packages-config.nix), [`metrics.nix`](./top-level/metrics.nix), [`nixpkgs-basic-release-checks.nix`](./top-level/nixpkgs-basic-release-checks.nix): Entry-points and utilities used by Hydra for continuous integration 14- [`development`](./development) 15 - `*-modules`, `*-packages`, `*-pkgs`: Package definitions for nested package sets 16 - All other directories loosely categorise top-level package definitions, see [category hierarchy][categories] 17- [`build-support`](./build-support): [Builders](https://nixos.org/manual/nixpkgs/stable/#part-builders) 18 - `fetch*`: [Fetchers](https://nixos.org/manual/nixpkgs/stable/#chap-pkgs-fetchers) 19- [`stdenv`](./stdenv): [Standard environment](https://nixos.org/manual/nixpkgs/stable/#part-stdenv) 20- [`pkgs-lib`](./pkgs-lib): Definitions for utilities that need packages but are not needed for packages 21- [`test`](./test): Tests not directly associated with any specific packages 22- [`by-name`](./by-name): Top-level packages organised by name ([docs](./by-name/README.md)) 23- All other directories loosely categorise top-level package definitions, see [category hierarchy][categories] 24 25## Quick Start to Adding a Package 26 27We welcome new contributors of new packages to Nixpkgs, arguably the greatest software database known. 28However, each new package comes with a cost for the maintainers, Continuous Integration, caching servers and users downloading Nixpkgs. 29 30Before adding a new package, please consider the following questions: 31 32* Is the package ready for general use? 33 We don't want to include projects that are too immature or are going to be abandoned immediately. 34 In case of doubt, check with upstream. 35* Does the project have a clear license statement? 36 Remember that software is unfree by default (all rights reserved), and merely providing access to the source code does not imply its redistribution. 37 In case of doubt, ask upstream. 38* How realistic is it that it will be used by other people? 39 It's good that nixpkgs caters to various niches, but if it's a niche of 5 people it's probably too small. 40 A good estimate is checking upstream issues and pull requests, or other software repositories. 41 * Library packages should have at least one dependent. 42 If possible, that dependent should be packaged in the same PR the library is added in, as a sanity check. 43 If it is not possible to package the dependent, a minimal test program should be added to `passthru.tests`. 44* Is the software actively maintained upstream? 45 Especially packages that are security-critical, rely on fast-moving dependencies, or affect data integrity should see regular maintenance. 46* Are you willing to maintain the package? 47 You should care enough about the package to be willing to keep it up and running for at least one complete Nixpkgs' release life-cycle. 48 * In case you are not able to maintain the package you wrote, you can seek someone to fill that role, effectively adopting the package. 49 50If any of these questions' answer is no, then you should probably not add the package. 51 52Special care has to be taken with security-critical software components. 53Because entries in the Nix store are inert and do nothing by themselves, packages should be considered by their intended use, e.g. when used together with a NixOS module. 54 55* Any package that immediately would need to be tagged with `meta.knownVulnerabilities` is unlikely to be fit for nixpkgs. 56* Any package depending on a known-vulnerable library should be considered carefully. 57* Packages typically used with untrusted data should have a maintained and responsible upstream. 58 For example: 59 * Any package which does not follow upstream security policies should be considered vulnerable. 60 In particular, packages that vendor or fork web engines like Blink, Gecko or Webkit need to keep up with the frequent updates of those projects. 61 * Any security-critical fast-moving package such as Chrome or Firefox (or their forks) must have at least one committer among the maintainers, who actively reviews, merges and backports updates. 62 This ensures no critical fixes are delayed unnecessarily, endangering unsuspecting users. 63 * Services which typically work on web traffic are working on untrusted input. 64 * Data (such as archives or rich documents) commonly shared over untrusted channels (e.g. email) is untrusted. 65* Applications in the Unix authentication stack such as PAM/D-Bus modules or SUID binaries should be considered carefully, and should have a maintained and responsible upstream. 66* Encryption libraries should have a maintained and responsible upstream. 67* Security-critical components that are part of larger packages should be unvendored (=use the nixpkgs package as dependency, instead of vendored and pinned sources). 68* A "responsible upstream" includes various aspects, such as: 69 * channels to disclose security concerns 70 * being responsive to security concerns, providing fixes or workarounds 71 * transparent public disclosure of security issues when they are found or fixed 72 * These aspects are sometimes hard to verify, in which case an upstream that is not known to be irresponsible should be considered as responsible. 73* Source-available software should be built from source where possible. 74 Binary blobs risk supply chain attacks and vendored outdated libraries. 75 76This section describes a general framework of understanding and exceptions might apply. 77 78Luckily it's pretty easy to maintain your own package set with Nix, which can then be added to the [Nix User Repository](https://github.com/nix-community/nur) project. 79 80--- 81 82Now that this is out of the way. 83To add a package to Nixpkgs: 84 851. Checkout the Nixpkgs source tree: 86 87 ```ShellSession 88 $ git clone https://github.com/NixOS/nixpkgs 89 $ cd nixpkgs 90 ``` 91 922. Create a package directory `pkgs/by-name/so/some-package` where `some-package` is the package name and `so` is the lowercased 2-letter prefix of the package name: 93 94 ```ShellSession 95 $ mkdir -p pkgs/by-name/so/some-package 96 ``` 97 98 For more detailed information, see [here](./by-name/README.md). 99 1003. Create a `package.nix` file in the package directory, containing a Nix expression — a piece of code that describes how to build the package. 101 In this case, it should be a _function_ that is called with the package dependencies as arguments, and returns a build of the package in the Nix store. 102 103 ```ShellSession 104 $ emacs pkgs/by-name/so/some-package/package.nix 105 $ git add pkgs/by-name/so/some-package/package.nix 106 ``` 107 108 If the package is written in a language other than C, you should use [the corresponding language framework](https://nixos.org/manual/nixpkgs/stable/#chap-language-support). 109 110 You can have a look at the existing Nix expressions under `pkgs/` to see how it’s done, some of which are also using the [category hierarchy](#category-hierarchy). 111 Here are some good ones: 112 113 - GNU Hello: [`pkgs/by-name/he/hello/package.nix`](./by-name/he/hello/package.nix). 114 Trivial package, which specifies some `meta` attributes which is good practice. 115 116 - GNU cpio: [`pkgs/by-name/cp/cpio/package.nix`](./by-name/cp/cpio/package.nix). 117 Also a simple package. 118 The generic builder in `stdenv` does everything for you. 119 It has no dependencies beyond `stdenv`. 120 121 - GNU Multiple Precision arithmetic library (GMP): [`pkgs/development/libraries/gmp`](development/libraries/gmp). 122 Also done by the generic builder, but has a dependency on `m4`. 123 124 - Pan, a GTK-based newsreader: [`pkgs/by-name/pa/pan/package.nix`](./by-name/pa/pan/package.nix). 125 Has an optional dependency on `gspell`, which is only built if `spellCheck` is `true`. 126 127 - Apache HTTPD: [`pkgs/servers/http/apache-httpd/2.4.nix`](servers/http/apache-httpd/2.4.nix). 128 A bunch of optional features, variable substitutions in the configure flags, a post-install hook, and miscellaneous hackery. 129 130 - buildMozillaMach: [`pkgs/build-support/build-mozilla-mach/default.nix`](./build-support/build-mozilla-mach/default.nix). 131 A reusable build function for Firefox, Thunderbird and Librewolf. 132 133 - JDiskReport, a Java utility: [`pkgs/by-name/jd/jdiskreport/package.nix`](./by-name/jd/jdiskreport/package.nix). 134 Nixpkgs doesn’t have a decent `stdenv` for Java yet so this is pretty ad-hoc. 135 136 - XML::Simple, a Perl module: [`pkgs/top-level/perl-packages.nix`](top-level/perl-packages.nix) (search for the `XMLSimple` attribute). 137 Most Perl modules are so simple to build that they are defined directly in `perl-packages.nix`; no need to make a separate file for them. 138 139 - Discord Game SDK: [`pkgs/by-name/di/discord-gamesdk/package.nix`](./by-name/di/discord-gamesdk/package.nix). 140 Shows how binary-only packages can be supported. 141 In particular, the `autoPatchelfHook` is used to set the RUNPATH and ELF interpreter of the executables so that the right libraries are found at runtime. 142 143 Some notes: 144 145 - Add yourself as the maintainer of the package. 146 147 - If this is your first time contributing (welcome!), [add yourself to the maintainers list](../maintainers/README.md#how-to-become-a-maintainer) in a separate commit. 148 149 - All other [`meta`](https://nixos.org/manual/nixpkgs/stable/#chap-meta) attributes are optional, but it’s still a good idea to provide at least the `description`, `homepage` and [`license`](https://nixos.org/manual/nixpkgs/stable/#sec-meta-license). 150 151 - The exact syntax and semantics of the Nix expression language, including the built-in functions, can be found in the [Nix language reference](https://nixos.org/manual/nix/stable/language/). 152 1535. To test whether the package builds, run the following command from the root of the nixpkgs source tree: 154 155 ```ShellSession 156 $ nix-build -A some-package 157 ``` 158 159 where `some-package` should be the package name. 160 You may want to add the flag `-K` to keep the temporary build directory in case something fails. 161 If the build succeeds, a symlink `./result` to the package in the Nix store is created. 162 1636. If you want to install the package into your profile (optional), do 164 165 ```ShellSession 166 $ nix-env -f . -iA libfoo 167 ``` 168 1697. Optionally commit the new package and open a pull request [to nixpkgs](https://github.com/NixOS/nixpkgs/pulls), or use [the Patches category](https://discourse.nixos.org/t/about-the-patches-category/477) on Discourse for sending a patch without a GitHub account. 170 171## Commit conventions 172 173- Make sure you read about the [commit conventions](../CONTRIBUTING.md#commit-conventions) common to Nixpkgs as a whole. 174 175- Format the commit messages in the following way: 176 177 ``` 178 (pkg-name): (from -> to | init at version | refactor | etc) 179 180 (Motivation for change. Link to release notes. Additional information.) 181 ``` 182 183 Examples: 184 185 * nginx: init at 2.0.1 186 * firefox: 54.0.1 -> 55.0 187 188 https://www.mozilla.org/en-US/firefox/55.0/releasenotes/ 189 190(using "→" instead of "->" is also accepted) 191 192Using the `(pkg-name):` prefix is important beyond just being a convention: it queues automatic builds by CI. 193More sophisticated prefixes are also possible: 194 195| Message | Automatic Builds | 196|--------------------------------------------------------------------------|------------------------------------------------------------| 197| `vim: 1.0.0 -> 2.0.0` | `vim` | 198| `vagrant: fix dependencies for version 2.0.2` | `vagrant` | 199| `python3{9,10}Packages.requests: 1.0.0 -> 2.0.0` | `python39Packages.requests`, `python310Packages.requests` | 200| `python312.pkgs.numpy,python313.pkgs.scipy: fix build` | `python312.pkgs.numpy` , `python313.pkgs.scipy` | 201 202When opening a PR with multiple commits, CI creates a single build job for all detected packages. 203If `passthru.tests` attributes are available, these will be built as well. 204 205If the title of the _PR_ begins with `WIP:` or contains `[WIP]` anywhere, its packages are not built automatically. 206Other than that, PR titles have meaning only for humans. 207It is recommended to keep the PR title in sync with the commit title, to make it easier to find. 208For PRs with multiple commits, the PR title should be a general summary of these commits. 209 210> [!NOTE] 211> Marking a PR as a draft does not prevent automatic builds. 212 213## Category Hierarchy 214[categories]: #category-hierarchy 215 216Most top-level packages are organised in a loosely-categorised directory hierarchy in this directory. 217See the [overview](#overview) for which directories are part of this. 218 219This category hierarchy is partially deprecated and will be migrated away over time. 220The new `pkgs/by-name` directory ([docs](./by-name/README.md)) should be preferred instead. 221The category hierarchy may still be used for packages that should be imported using an alternate `callPackage`, such as `python3Packages.callPackage` or `libsForQt5.callPackage`. 222 223If that is the case for a new package, here are some rules for picking the right category. 224Many packages fall under several categories; what matters is the _primary_ purpose of a package. 225For example, the `libxml2` package builds both a library and some tools; but it’s a library foremost, so it goes under `pkgs/development/libraries`. 226 227<details> 228<summary>Categories</summary> 229 230**If it’s used to support _software development_:** 231 232- **If it’s a _library_ used by other packages:** 233 234 - `development/libraries` (e.g. `libxml2`) 235 236- **If it’s a _compiler_:** 237 238 - `development/compilers` (e.g. `gcc`) 239 240- **If it’s an _interpreter_:** 241 242 - `development/interpreters` (e.g. `guile`) 243 244- **If it’s a (set of) development _tool(s)_:** 245 246 - **If it’s a _parser generator_ (including lexers):** 247 248 - `development/tools/parsing` (e.g. `bison`, `flex`) 249 250 - **If it’s a _build manager_:** 251 252 - `development/tools/build-managers` (e.g. `gnumake`) 253 254 - **If it’s a _language server_:** 255 256 - `development/tools/language-servers` (e.g. `ccls` or `nil`) 257 258 - **Else:** 259 260 - `development/tools/misc` (e.g. `binutils`) 261 262- **Else:** 263 264 - `development/misc` 265 266**If it’s a (set of) _tool(s)_:** 267 268(A tool is a relatively small program, especially one intended to be used non-interactively.) 269 270- **If it’s for _networking_:** 271 272 - `tools/networking` (e.g. `wget`) 273 274- **If it’s for _text processing_:** 275 276 - `tools/text` (e.g. `diffutils`) 277 278- **If it’s a _system utility_, i.e., something related or essential to the operation of a system:** 279 280 - `tools/system` (e.g. `cron`) 281 282- **If it’s an _archiver_ (which may include a compression function):** 283 284 - `tools/archivers` (e.g. `zip`, `tar`) 285 286- **If it’s a _compression_ program:** 287 288 - `tools/compression` (e.g. `gzip`, `bzip2`) 289 290- **If it’s a _security_-related program:** 291 292 - `tools/security` (e.g. `nmap`, `gnupg`) 293 294- **Else:** 295 296 - `tools/misc` 297 298**If it’s a _shell_:** 299 300- `shells` (e.g. `bash`) 301 302**If it’s a _server_:** 303 304- **If it’s a web server:** 305 306 - `servers/http` (e.g. `apache-httpd`) 307 308- **Else:** 309 310 - `servers/misc` 311 312**If it’s a _desktop environment_:** 313 314- `desktops` (e.g. `kde`, `gnome`, `enlightenment`) 315 316**If it’s a _window manager_:** 317 318- `applications/window-managers` (e.g. `awesome`, `stumpwm`) 319 320**If it’s an _application_:** 321 322A (typically large) program with a distinct user interface, primarily used interactively. 323 324- **If it’s a _version management system_:** 325 326 - `applications/version-management` (e.g. `subversion`) 327 328- **If it’s a _terminal emulator_:** 329 330 - `applications/terminal-emulators` (e.g. `alacritty` or `rxvt` or `termite`) 331 332- **If it’s a _file manager_:** 333 334 - `applications/file-managers` (e.g. `mc` or `ranger` or `pcmanfm`) 335 336- **If it’s for _video playback / editing_:** 337 338 - `applications/video` (e.g. `vlc`) 339 340- **If it’s for _graphics viewing / editing_:** 341 342 - `applications/graphics` (e.g. `gimp`) 343 344- **If it’s for _networking_:** 345 346 - **If it’s a _mailreader_:** 347 348 - `applications/networking/mailreaders` (e.g. `thunderbird`) 349 350 - **If it’s a _newsreader_:** 351 352 - `applications/networking/newsreaders` (e.g. `pan`) 353 354 - **If it’s a _web browser_:** 355 356 - `applications/networking/browsers` (e.g. `firefox`) 357 358 - **Else:** 359 360 - `applications/networking/misc` 361 362- **Else:** 363 364 - `applications/misc` 365 366**If it’s _data_ (i.e., does not have a straight-forward executable semantics):** 367 368- **If it’s a _font_:** 369 370 - `data/fonts` 371 372- **If it’s an _icon theme_:** 373 374 - `data/icons` 375 376- **If it’s related to _SGML/XML processing_:** 377 378 - **If it’s an _XML DTD_:** 379 380 - `data/sgml+xml/schemas/xml-dtd` (e.g. `docbook`) 381 382 - **If it’s an _XSLT stylesheet_:** 383 384 (Okay, these are executable...) 385 386 - `data/sgml+xml/stylesheets/xslt` (e.g. `docbook-xsl`) 387 388- **If it’s a _theme_ for a _desktop environment_, a _window manager_ or a _display manager_:** 389 390 - `data/themes` 391 392**If it’s a _game_:** 393 394- `games` 395 396**Else:** 397 398- `misc` 399 400</details> 401 402# Conventions 403 404The key words _must_, _must not_, _required_, _shall_, _shall not_, _should_, _should not_, _recommended_, _may_, and _optional_ in this section are to be interpreted as described in [RFC 2119](https://tools.ietf.org/html/rfc2119). 405Only _emphasized_ words are to be interpreted in this way. 406 407## Package naming 408 409In Nixpkgs, there are generally three different names associated with a package: 410 411- The `pname` attribute of the derivation. 412 This is what most users see, in particular when using `nix-env`. 413 414- The attribute name used for the package in the [`pkgs/by-name` structure](./by-name/README.md) or in [`all-packages.nix`](./top-level/all-packages.nix), and when passing it as a dependency in recipes. 415 416- The filename for (the directory containing) the Nix expression. 417 418Most of the time, these are the same. 419For instance, the package `e2fsprogs` has a `pname` attribute `"e2fsprogs"`, is bound to the attribute name `e2fsprogs` in `all-packages.nix`, and the Nix expression is in `pkgs/os-specific/linux/e2fsprogs/default.nix`. 420 421Follow these guidelines: 422 423- For the `pname` attribute: 424 425 - It _should_ be identical to the upstream package name. 426 427 - It _must not_ contain uppercase letters. 428 429 Example: Use `"mplayer"` instead of `"MPlayer"` 430 431- For the package attribute name: 432 433 - It _must_ be a valid identifier in Nix. 434 435 - If the `pname` starts with a digit, the attribute name _should_ be prefixed with an underscore. 436 Otherwise the attribute name _should not_ be prefixed with an underscore. 437 438 Example: The corresponding attribute name for `0ad` should be `_0ad`. 439 440 - New attribute names _should_ be the same as the value in `pname`. 441 442 Hyphenated names _should not_ be converted to [snake case](https://en.wikipedia.org/wiki/Snake_case) or [camel case](https://en.wikipedia.org/wiki/Camel_case). 443 This was done historically, but is not necessary any more. 444 [The Nix language allows dashes in identifiers since 2012](https://github.com/NixOS/nix/commit/95c74eae269b2b9e4bc514581b5caa1d80b54acc). 445 446 - If there are multiple versions of a package, this _should_ be reflected in the attribute names in `all-packages.nix`. 447 448 Example: `json-c_0_9` and `json-c_0_11` 449 450 If there is an obvious “default” version, make an extra attribute. 451 452 Example: `json-c = json-c_0_9;` 453 454 See also [versioning][versioning]. 455 456## Versioning 457[versioning]: #versioning 458 459These are the guidelines for the `version` attribute of a package: 460 461- It _must_ start with a digit. 462 This is required for backwards-compatibility with [how `nix-env` parses derivation names](https://nix.dev/manual/nix/latest/command-ref/nix-env#selectors). 463 464 Example: `"0.3.1rc2"` or `"0-unstable-1970-01-01"` 465 466- If a package is a commit from a repository without a version assigned, then the `version` attribute _should_ be the latest upstream version preceding that commit, followed by `-unstable-` and the date of the (fetched) commit. 467 The date _must_ be in `"YYYY-MM-DD"` format. 468 469 Example: Given a project had its latest releases `2.2` in November 2021 and `3.0` in January 2022, a commit authored on March 15, 2022 for an upcoming bugfix release `2.2.1` would have `version = "2.2-unstable-2022-03-15"`. 470 471- If a project has no suitable preceding releases - e.g., no versions at all, or an incompatible versioning or tagging scheme - then the latest upstream version in the above schema should be `0`. 472 473 Example: Given a project that has no tags or released versions at all, or applies versionless tags like `latest` or `YYYY-MM-DD-Build`, a commit authored on March 15, 2022 would have `version = "0-unstable-2022-03-15"`. 474 475Because every version of a package in Nixpkgs creates a potential maintenance burden, old versions of a package should not be kept unless there is a good reason to do so. 476For instance, Nixpkgs contains several versions of GCC because other packages don’t build with the latest version of GCC. 477Other examples are having both the latest stable and latest pre-release version of a package, or to keep several major releases of an application that differ significantly in functionality. 478 479If there is only one version of a package, its Nix expression should be named (e.g) `pkgs/by-name/xy/xyz/package.nix`. 480If there are multiple versions, this should be reflected in the attribute name. 481If you wish to share code between the Nix expressions of each version, you cannot rely upon `pkgs/by-name`'s automatic attribute creation, and must create the attributes yourself in `all-packages.nix`. 482See also [`pkgs/by-name/README.md`'s section on this topic](https://github.com/NixOS/nixpkgs/blob/master/pkgs/by-name/README.md#recommendation-for-new-packages-with-multiple-versions). 483 484## Meta attributes 485 486The `meta` attribute set should always be placed last in the derivation and any other "meta"-like attribute sets like `passthru` should be written before it. 487 488* `meta.description` must: 489 * Be short, just one sentence. 490 * Be capitalized. 491 * Not start with the definite or an indefinite article. 492 * Not start with the package name. 493 * More generally, it should not refer to the package name. 494 * Not end with a period (or any punctuation for that matter). 495 * Provide factual information. 496 * Avoid subjective language. 497* `meta.license` must be set and match the upstream license. 498 * If there is no upstream license, `meta.license` should default to `lib.licenses.unfree`. 499 * If in doubt, try to contact the upstream developers for clarification. 500* `meta.sourceProvenance` must be set if the package is not built from source. 501 * If you are repackaging a `.deb`, `.rpm`, `.whl`, or any other format provided by your upstream, this should almost always be set to `lib.sourceTypes.binaryNativeCode`. 502* `meta.mainProgram` must be set to the name of the executable which facilitates the primary function or purpose of the package, if there is such an executable in `$bin/bin/` (or `$out/bin/`, if there is no `"bin"` output). 503 * Packages that only have a single executable in the applicable directory above should set `meta.mainProgram`. 504 For example, the package `ripgrep` only has a single executable `rg` under `$out/bin/`, so `ripgrep.meta.mainProgram` is set to `"rg"`. 505 * Packages like `polkit_gnome` that have no executables in the applicable directory should not set `meta.mainProgram`. 506 * Packages like `e2fsprogs` that have multiple executables, none of which can be considered the main program, should not set `meta.mainProgram`. 507 * Packages which are not primarily used for a single executable do not need to set `meta.mainProgram`. 508 * Always prefer using a hardcoded string (don't use `pname`, for example). 509 * When in doubt, ask for reviewer input. 510* `meta.maintainers` must be set for new packages. 511 512See the Nixpkgs manual for more details on [standard meta-attributes](https://nixos.org/nixpkgs/manual/#sec-standard-meta-attributes). 513 514## Import From Derivation 515 516[Import From Derivation](https://nixos.org/manual/nix/unstable/language/import-from-derivation) (IFD) is disallowed in Nixpkgs for performance reasons: 517[Hydra](https://github.com/NixOS/hydra) evaluates the entire package set, and sequential builds during evaluation would increase evaluation times to become impractical. 518 519Import From Derivation can be worked around in some cases by committing generated intermediate files to version control and reading those instead. 520 521## `overrideAttrs` and `overridePythonAttrs` 522 523Please do not introduce new uses of `overrideAttrs` or `overridePythonAttrs` in Nixpkgs. 524These functions are useful for out-of-tree code because they allow easy overriding a package without changing its source in Nixpkgs, but when contributing to Nixpkgs you *can* change the source of other packages. So instead of using the escape hatch that is overriding, you should try to provide proper support for the functionality you need, in ways that are visible and can be understood and accounted for by the maintainers of the patched package. 525Using `overrideAttrs` and `overridePythonAttrs` in Nixpkgs causes maintainability problems: 526 527* It's easy for multiple packages to end up duplicating basically the same override without noticing. 528* It's not clear when working on an overridden package that it's being overridden elsewhere in Nixpkgs, so `overrideAttrs` and `overridePythonAttrs` are fragile and can break accidentally when the overridden package is changed. 529* Package maintainers will not be requested for review of overrides, even though they are likely to have important knowledge about the package. 530* It is easy for overridden packages to be forgotten and remain around long after they are no longer necessary. 531* Dependency closures end up being bigger than necessary due to unnecessarily including multiple versions of the same package. 532 533Instead, keep all instances of the same package next to each other, and try to minimize how many different instances of a package are in Nixpkgs. 534If you need a patch applied to a dependency, discuss with the maintainer of that dependency whether it would be acceptable to apply to the main version of the package. 535If you need a different version of a dependency, first try modifying your package to work with the version in Nixpkgs — it's often not very hard! — and if that's not possible, try to factor out a function that can build multiple versions of the package, including the main version. 536If you need to enable or disable optional functionality of a dependency, add an explicit flag to the package and use `override` instead. 537 538## Sources 539 540Always fetch source files using [Nixpkgs fetchers](https://nixos.org/manual/nixpkgs/unstable/#chap-pkgs-fetchers). 541Use reproducible sources with a high degree of availability. 542Prefer protocols that support proxies. 543 544A list of schemes for `mirror://` URLs can be found in [`pkgs/build-support/fetchurl/mirrors.nix`](build-support/fetchurl/mirrors.nix), and is supported by [`fetchurl`](https://nixos.org/manual/nixpkgs/unstable/#fetchurl). 545Other fetchers which end up relying on `fetchurl` may also support mirroring. 546 547The preferred source hash type is `sha256`. 548 549Examples going from bad to best practices: 550 551- Bad: Uses `git://` which won't be proxied. 552 553 ```nix 554 { 555 src = fetchgit { 556 url = "git://github.com/NixOS/nix.git"; 557 rev = "1f795f9f44607cc5bec70d1300150bfefcef2aae"; 558 hash = "sha256-7D4m+saJjbSFP5hOwpQq2FGR2rr+psQMTcyb1ZvtXsQ="; 559 }; 560 } 561 ``` 562 563- Better: This is ok, but an archive fetch will still be faster. 564 565 ```nix 566 { 567 src = fetchgit { 568 url = "https://github.com/NixOS/nix.git"; 569 rev = "1f795f9f44607cc5bec70d1300150bfefcef2aae"; 570 hash = "sha256-7D4m+saJjbSFP5hOwpQq2FGR2rr+psQMTcyb1ZvtXsQ="; 571 }; 572 } 573 ``` 574 575- Best: Fetches a snapshot archive for the given revision. 576 577 ```nix 578 { 579 src = fetchFromGitHub { 580 owner = "NixOS"; 581 repo = "nix"; 582 rev = "1f795f9f44607cc5bec70d1300150bfefcef2aae"; 583 hash = "sha256-7D4m+saJjbSFP5hOwpQq2FGR2rr+psQMTcyb1ZvtXsQ="; 584 }; 585 } 586 ``` 587 588> [!Note] 589> When fetching from GitHub, always reference revisions by their full commit hash. 590> GitHub shares commit hashes among all forks and returns `404 Not Found` when a short commit hash is ambiguous. 591> It already happened in Nixpkgs for short, 6-character commit hashes. 592> 593> Pushing large amounts of auto generated commits into forks is a practical vector for a denial-of-service attack, and was already [demonstrated against GitHub Actions Beta](https://blog.teddykatz.com/2019/11/12/github-actions-dos.html). 594 595## Patches 596 597Sometimes, changes are needed to the source to allow building a derivation in nixpkgs, or to get earlier access to an upstream fix or improvement. 598When using the `patches` parameter to `mkDerivation`, make sure the patch name clearly describes the reason for the patch, or add a comment. 599 600> [!Note] 601> The version of the package does not need to be changed just because a patch is applied. 602> Declarative package installations don't depend on the version, while imperative `nix-env` installations can use [`upgrade --eq/leq/--always`](https://nix.dev/manual/nix/2.25/command-ref/nix-env/upgrade#flags). 603> 604> See [Versioning](#versioning) for details on package versioning. 605 606The following describes two ways to include the patch. 607Regardless of how the patch is included, you _must_ ensure its purpose is clear and obvious. 608This enables other maintainers to more easily determine when old patches are no longer required. 609Typically, you can improve clarity with carefully considered filenames, attribute names, and/or comments; these should explain the patch's _intention_. 610Additionally, it may sometimes be helpful to clarify _how_ it resolves the issue. 611For example: _"fix gcc14 build by adding missing include"_. 612 613### Fetching patches 614 615In the interest of keeping our maintenance burden and the size of Nixpkgs to a minimum, patches already merged upstream or published elsewhere _should_ be retrieved using `fetchpatch2`: 616 617```nix 618{ 619 patches = [ 620 (fetchpatch2 { 621 name = "make-no-atomics-a-soft-failure.patch"; 622 url = "https://github.com/boostorg/math/commit/7d482f6ebc356e6ec455ccb5f51a23971bf6ce5b.patch?full_index=1"; 623 hash = "sha256-9Goa0NTUdSOs1Vm+FnkoSFhw0o8ZLNOw6cLUqCVnF5Y="; 624 }) 625 ]; 626} 627``` 628 629> [!Warning] 630> If the patch file contains short commit hashes, use `fetchpatch` instead of `fetchpatch2` ([tracking issue](https://github.com/NixOS/nixpkgs/issues/257446)). 631> This is the case if the patch contains a line similar to `index 0c97fcc35..f533e464a 100644`. 632> Depending on the patch source it is possible to expand the commit hash, in which case using `fetchpatch2` is acceptable (e.g. GitHub supports appending `?full_index=1` to the URL, as seen above). 633 634If a patch is available online but does not cleanly apply, it can be modified in some fixed ways by using additional optional arguments for `fetchpatch2`. 635Check [the `fetchpatch` reference](https://nixos.org/manual/nixpkgs/unstable/#fetchpatch) for details. 636 637When adding patches in this manner you should be reasonably sure that the used URL is stable. 638Patches referencing open pull requests will change when the PR is updated and code forges (such as GitHub) usually garbage collect commits that are no longer reachable due to rebases/amends. 639 640### Vendoring patches 641 642In the following cases, a `.patch` file _should_ be added to Nixpkgs repository, instead of retrieved: 643 644- solves problems unique to packaging in Nixpkgs 645- cannot be fetched easily 646- has a high chance to disappear in the future due to unstable or unreliable URLs 647 648The latter avoids link rot when the upstream abandons, squashes or rebases their change, in which case the commit may get garbage-collected. 649 650```nix 651{ patches = [ ./0001-add-missing-include.patch ]; } 652``` 653 654If you do need to create this sort of patch file, one way to do so is with git: 655 6561. Move to the root directory of the source code you're patching. 657 658 ```ShellSession 659 $ cd the/program/source 660 ``` 661 6622. If a git repository is not already present, create one and stage all of the source files. 663 664 ```ShellSession 665 $ git init 666 $ git add -A 667 ``` 668 6693. Edit some files to make whatever changes need to be included in the patch. 670 6714. Use git to create a diff, and pipe the output to a patch file: 672 673 ```ShellSession 674 $ git diff -a > nixpkgs/pkgs/the/package/0001-changes.patch 675 ``` 676 677## Deprecating/removing packages 678 679There is currently no policy when to remove a package. 680 681Before removing a package, one should try to find a new maintainer or fix smaller issues first. 682 683### Steps to remove a package from Nixpkgs 684 685We use jbidwatcher as an example for a discontinued project here. 686 6871. Have Nixpkgs checked out locally and up to date. 6881. Create a new branch for your change, e.g. `git checkout -b jbidwatcher` 6891. Remove the actual package including its directory, e.g. `git rm -rf pkgs/applications/misc/jbidwatcher` 6901. Remove the package from the list of all packages (`pkgs/top-level/all-packages.nix`). 6911. Add an alias for the package name in `pkgs/top-level/aliases.nix` (There is also `pkgs/applications/editors/vim/plugins/aliases.nix`. 692 Package sets typically do not have aliases, so we can't add them there.) 693 694 For example in this case: 695 696 ```nix 697 { 698 jbidwatcher = throw "jbidwatcher was discontinued in march 2021"; # added 2021-03-15 699 } 700 ``` 701 702 The throw message should explain in short why the package was removed for users that still have it installed. 703 7041. Test if the changes introduced any issues by running `nix-env -qaP -f . --show-trace`. 705 It should show the list of packages without errors. 7061. Commit the changes. 707 Explain again why the package was removed. 708 If it was declared discontinued upstream, add a link to the source. 709 710 ```ShellSession 711 $ git add pkgs/applications/misc/jbidwatcher/default.nix pkgs/top-level/all-packages.nix pkgs/top-level/aliases.nix 712 $ git commit 713 ``` 714 715 Example commit message: 716 717 ``` 718 jbidwatcher: remove 719 720 project was discontinued in march 2021. the program does not work anymore because ebay changed the login. 721 722 https://web.archive.org/web/20210315205723/http://www.jbidwatcher.com/ 723 ``` 724 7251. Push changes to your GitHub fork with `git push` 7261. Create a pull request against Nixpkgs. 727 Mention the package maintainer. 728 729This is what the pull request looks like in this case: [https://github.com/NixOS/nixpkgs/pull/116470](https://github.com/NixOS/nixpkgs/pull/116470) 730 731## Package tests 732 733To run the main types of tests locally: 734 735- Run package-internal tests with `nix-build --attr pkgs.PACKAGE.passthru.tests` 736- Run [NixOS tests](https://nixos.org/manual/nixos/unstable/#sec-nixos-tests) with `nix-build --attr nixosTests.NAME`, where `NAME` is the name of the test listed in `nixos/tests/all-tests.nix` 737- Run [global package tests](https://nixos.org/manual/nixpkgs/unstable/#sec-package-tests) with `nix-build --attr tests.PACKAGE`, where `PACKAGE` is the name of the test listed in `pkgs/test/default.nix` 738- See `lib/tests/NAME.nix` for instructions on running specific library tests 739 740Tests are important to ensure quality and make reviews and automatic updates easy. 741 742The following types of tests exist: 743 744* [NixOS **module tests**](https://nixos.org/manual/nixos/stable/#sec-nixos-tests), which spawn one or more NixOS VMs. 745 They exercise both NixOS modules and the packaged programs used within them. 746 For example, a NixOS module test can start a web server VM running the `nginx` module, and a client VM running `curl` or a graphical `firefox`, and test that they can talk to each other and display the correct content. 747* Nix **package tests** are a lightweight alternative to NixOS module tests. 748 They should be used to create simple integration tests for packages, but cannot test NixOS services, and some programs with graphical user interfaces may also be difficult to test with them. 749* The **`checkPhase` of a package**, which should execute the unit tests that are included in the source code of a package. 750 751Here in the nixpkgs manual we describe mostly _package tests_; for _module tests_ head over to the corresponding [section in the NixOS manual](https://nixos.org/manual/nixos/stable/#sec-nixos-tests). 752 753### Writing inline package tests 754 755For very simple tests, they can be written inline: 756 757```nix 758# ... , 759{ yq-go }: 760 761buildGoModule rec { 762 # … 763 764 passthru.tests = { 765 simple = runCommand "${pname}-test" { } '' 766 echo "test: 1" | ${yq-go}/bin/yq eval -j > $out 767 [ "$(cat $out | tr -d $'\n ')" = '{"test":1}' ] 768 ''; 769 }; 770} 771``` 772 773Any derivation can be specified as a test, even if it's in a different file. 774Such a derivation that implements a test can depend on the package under test, even in the presence of `overrideAttrs`. 775 776In the following example, `(my-package.overrideAttrs f).passthru.tests` will work as expected, as long as the definition of `tests` does not rely on the original `my-package` or overrides all occurrences of `my-package`: 777 778```nix 779# my-package/default.nix 780{ stdenv, callPackage }: 781stdenv.mkDerivation (finalAttrs: { 782 # ... 783 passthru.tests.example = callPackage ./example.nix { my-package = finalAttrs.finalPackage; }; 784}) 785``` 786 787```nix 788# my-package/example.nix 789{ 790 runCommand, 791 lib, 792 my-package, 793 ... 794}: 795runCommand "my-package-test" 796 { 797 nativeBuildInputs = [ my-package ]; 798 src = lib.sources.sourcesByRegex ./. [ 799 ".*.in" 800 ".*.expected" 801 ]; 802 } 803 '' 804 my-package --help 805 my-package <example.in >example.actual 806 diff -U3 --color=auto example.expected example.actual 807 mkdir $out 808 '' 809``` 810 811### Writing larger package tests 812[larger-package-tests]: #writing-larger-package-tests 813 814This is an example using the `phoronix-test-suite` package with the current best practices. 815 816Add the tests in `passthru.tests` to the package definition like this: 817 818```nix 819{ 820 stdenv, 821 lib, 822 fetchurl, 823 callPackage, 824}: 825 826stdenv.mkDerivation { 827 # … 828 829 passthru.tests = { 830 simple-execution = callPackage ./tests.nix { }; 831 }; 832 833 meta = { 834 # … 835 }; 836} 837``` 838 839Create `tests.nix` in the package directory: 840 841```nix 842{ runCommand, phoronix-test-suite }: 843 844let 845 inherit (phoronix-test-suite) pname version; 846 847in 848runCommand "${pname}-tests" { meta.timeout = 60; } '' 849 # automatic initial setup to prevent interactive questions 850 ${phoronix-test-suite}/bin/phoronix-test-suite enterprise-setup >/dev/null 851 # get version of installed program and compare with package version 852 if [[ `${phoronix-test-suite}/bin/phoronix-test-suite version` != *"${version}"* ]]; then 853 echo "Error: program version does not match package version" 854 exit 1 855 fi 856 # run dummy command 857 ${phoronix-test-suite}/bin/phoronix-test-suite dummy_module.dummy-command >/dev/null 858 # needed for Nix to register the command as successful 859 touch $out 860'' 861``` 862 863### Running package tests 864 865You can run these tests with: 866 867```ShellSession 868$ cd path/to/nixpkgs 869$ nix-build -A phoronix-test-suite.tests 870``` 871 872### Examples of package tests 873 874Here are examples of package tests: 875 876- [Jasmin compile test](by-name/ja/jasmin/test-assemble-hello-world/default.nix) 877- [Lobster compile test](development/compilers/lobster/test-can-run-hello-world.nix) 878- [Spacy annotation test](development/python-modules/spacy/annotation-test/default.nix) 879- [Libtorch test](development/libraries/science/math/libtorch/test/default.nix) 880- [Multiple tests for nanopb](./by-name/na/nanopb/package.nix) 881 882### Linking NixOS module tests to a package 883 884Like [package tests][larger-package-tests] as shown above, [NixOS module tests](https://nixos.org/manual/nixos/stable/#sec-nixos-tests) can also be linked to a package, so that the tests can be easily run when changing the related package. 885 886For example, assuming we're packaging `nginx`, we can link its module test via `passthru.tests`: 887 888```nix 889{ 890 stdenv, 891 lib, 892 nixosTests, 893}: 894 895stdenv.mkDerivation { 896 # ... 897 898 passthru.tests = { 899 nginx = nixosTests.nginx; 900 }; 901 902 # ... 903} 904``` 905 906## Automatic package updates 907[automatic-package-updates]: #automatic-package-updates 908 909Nixpkgs periodically tries to update all packages that have a `passthru.updateScript` attribute. 910 911> [!Note] 912> A common pattern is to use the [`nix-update-script`](../pkgs/by-name/ni/nix-update/nix-update-script.nix) attribute provided in Nixpkgs, which runs [`nix-update`](https://github.com/Mic92/nix-update): 913> 914> ```nix 915> { stdenv, nix-update-script }: 916> stdenv.mkDerivation { 917> # ... 918> passthru.updateScript = nix-update-script { }; 919> } 920> ``` 921> 922> For simple packages, this is often enough, and will ensure that the package is updated automatically by [`nixpkgs-update`](https://github.com/nix-community/nixpkgs-update) when a new version is released. 923> The [update bot](https://nix-community.org/update-bot) runs periodically to attempt to automatically update packages, and will run `passthru.updateScript` if set. 924> While not strictly necessary if the project is listed on [Repology](https://repology.org), using `nix-update-script` allows the package to update via many more sources (e.g. GitHub releases). 925 926The `passthru.updateScript` attribute can contain one of the following: 927 928- an executable file, either on the file system: 929 930 ```nix 931 { stdenv }: 932 stdenv.mkDerivation { 933 # ... 934 passthru.updateScript = ./update.sh; 935 } 936 ``` 937 938 or inside the expression itself: 939 940 ```nix 941 { stdenv, writeScript }: 942 stdenv.mkDerivation { 943 # ... 944 passthru.updateScript = writeScript "update-zoom-us" '' 945 #!/usr/bin/env nix-shell 946 #!nix-shell -i bash -p curl pcre2 common-updater-scripts 947 948 set -eu -o pipefail 949 950 version="$(curl -sI https://zoom.us/client/latest/zoom_x86_64.tar.xz | grep -Fi 'Location:' | pcre2grep -o1 '/(([0-9]\.?)+)/')" 951 update-source-version zoom-us "$version" 952 ''; 953 } 954 ``` 955 956- a list, a script file followed by arguments to be passed to it: 957 958 ```nix 959 { stdenv }: 960 stdenv.mkDerivation { 961 # ... 962 passthru.updateScript = [ 963 ../../update.sh 964 pname 965 "--requested-release=unstable" 966 ]; 967 } 968 ``` 969 970- an attribute set containing: 971 - `command` 972 973 A string or list in the [format expected by `passthru.updateScript`][automatic-package-updates] 974 975 - `attrPath` (optional) 976 977 A string containing the canonical attribute path for the package. 978 979 If present, it will be passed to the update script instead of the attribute path on which the package was discovered during Nixpkgs traversal. 980 981 - `supportedFeatures` (optional) 982 983 A list of the [extra features the script supports][supported-features]. 984 985 ```nix 986 { stdenv }: 987 stdenv.mkDerivation rec { 988 pname = "my-package"; 989 # ... 990 passthru.updateScript = { 991 command = [ 992 ../../update.sh 993 pname 994 ]; 995 attrPath = pname; 996 supportedFeatures = [ 997 # ... 998 ]; 999 }; 1000 } 1001 ``` 1002 1003### How are update scripts executed? 1004 1005Update scripts are to be invoked by the [automatic package update script](../maintainers/scripts/update.nix). 1006You can run `nix-shell maintainers/scripts/update.nix` in the root of Nixpkgs repository for information on how to use it. 1007`update.nix` offers several modes for selecting packages to update, and it will execute update scripts for all matched packages that have an `updateScript` attribute. 1008 1009Update scripts will be run inside the [Nixpkgs development shell](../shell.nix), providing access to some useful tools for CI. 1010Furthermore each update script will be passed the following environment variables: 1011 1012- [`UPDATE_NIX_NAME`] – content of the `name` attribute of the updated package 1013- [`UPDATE_NIX_PNAME`] – content of the `pname` attribute of the updated package 1014- [`UPDATE_NIX_OLD_VERSION`] – content of the `version` attribute of the updated package 1015- [`UPDATE_NIX_ATTR_PATH`] – attribute path the `update.nix` discovered the package on (or the package's specified `attrPath` when available). 1016 Example: `pantheon.elementary-terminal` 1017 1018> [!Note] 1019> An update script will be usually run from the root of the Nixpkgs repository, but you should not rely on that. 1020> Also note that `update.nix` executes update scripts in parallel by default, so you should avoid running `git commit` or any other commands that cannot handle that. 1021 1022While update scripts should not create commits themselves, `update.nix` supports automatically creating commits when running it with `--argstr commit true`. 1023If you need to customize commit message, you can have the update script implement the `commit` feature. 1024 1025### Supported features 1026[update-script-supported-features]: #supported-features 1027 1028- `commit` 1029 1030 This feature allows update scripts to *ask* `update.nix` to create Git commits. 1031 1032 When support of this feature is declared, whenever the update script exits with `0` return status, it is expected to print a JSON list containing an object described below for each updated attribute to standard output. 1033 Example: 1034 1035 ```json 1036 [ 1037 { 1038 "attrPath": "volume_key", 1039 "oldVersion": "0.3.11", 1040 "newVersion": "0.3.12", 1041 "files": [ 1042 "/path/to/nixpkgs/pkgs/development/libraries/volume-key/default.nix" 1043 ] 1044 } 1045 ] 1046 ``` 1047 ::: 1048 1049 When `update.nix` is run with `--argstr commit true`, it will create a separate commit for each of the objects. 1050 An empty list can be returned when the script did not update any files; for example, when the package is already at the latest version. 1051 1052 The commit object contains the following values: 1053 1054 - `attrPath` – a string containing the attribute path 1055 - `oldVersion` – a string containing the old version 1056 - `newVersion` – a string containing the new version 1057 - `files` – a non-empty list of file paths (as strings) to add to the commit 1058 - `commitBody` (optional) – a string with extra content to be appended to the default commit message (useful for adding changelog links) 1059 - `commitMessage` (optional) – a string to use instead of the default commit message 1060 1061 If the returned list contains exactly one object (e.g. `[{}]`), all values are optional and will be determined automatically. 1062 1063## Reviewing contributions 1064 1065### Package updates 1066 1067A package update is the most trivial and common type of pull request. 1068These pull requests mainly consist of updating the version part of the package name and the source hash. 1069 1070It can happen that non-trivial updates include patches or more complex changes. 1071 1072Reviewing process: 1073 1074- Ensure that the package versioning [fits the guidelines](#versioning). 1075- Ensure that the commit text [fits the guidelines](../CONTRIBUTING.md#commit-conventions). 1076- Ensure that the package maintainers are notified. 1077 - The continuous integration system will make GitHub notify users based on the submitted changes, but it can happen that it misses some of the package maintainers. 1078- Ensure that the meta field information [fits the guidelines](#meta-attributes) and is correct: 1079 - License can change with version updates, so it should be checked to match the upstream license. 1080 - If the package has no maintainer, a maintainer must be set. 1081 This can be the update submitter or a community member that accepts to take maintainership of the package. 1082- Verify any change of upstream. 1083 - If switching from e.g. PyPi to GitHub, verify that the repo is the official one. 1084 - If switching to a fork, check with external sources like other package repositories for community consensus. 1085- Ensure any special packaging choices and required context are documented in i.e. the name of a patch or in a comment. 1086 - If a special version of a package is pinned, document why, so others know if/when it can be unpinned. 1087 - If any (especially opinionated) patch or `substituteInPlace` is applied, document why. 1088 - If any non-default build flags are set, document why. 1089 - If checks are partially or fully disabled, document why. 1090- Ensure that the code contains no typos. 1091- Build the package locally. 1092 - Pull requests are often targeted to the master or staging branch, and building the pull request locally when it is submitted can trigger many source builds. 1093 - It is possible to rebase the changes on nixos-unstable or nixpkgs-unstable for easier review by running the following commands from a nixpkgs clone. 1094 1095 ```ShellSession 1096 $ git fetch origin nixos-unstable 1097 $ git fetch origin pull/PRNUMBER/head 1098 $ git rebase --onto nixos-unstable BASEBRANCH FETCH_HEAD 1099 ``` 1100 1101 - The first command fetches the nixos-unstable branch. 1102 - The second command fetches the pull request changes, `PRNUMBER` is the number at the end of the pull request title and `BASEBRANCH` the base branch of the pull request. 1103 - The third command rebases the pull request changes to the nixos-unstable branch. 1104 - The [nixpkgs-review](https://github.com/Mic92/nixpkgs-review) tool can be used to review a pull request content in a single command. 1105 `PRNUMBER` should be replaced by the number at the end of the pull request title. 1106 You can also provide the full github pull request url. 1107 1108 ```ShellSession 1109 $ nix-shell -p nixpkgs-review --run "nixpkgs-review pr PRNUMBER" 1110 ``` 1111- Run every binary. 1112 1113Sample template for a package update review is provided below. 1114 1115```markdown 1116##### Reviewed points 1117 1118- [ ] package name fits guidelines 1119- [ ] package version fits guidelines 1120- [ ] package builds on ARCHITECTURE 1121- [ ] executables tested on ARCHITECTURE 1122- [ ] any change of upstream are verified 1123- [ ] the motives for any special packaging choices are documented 1124- [ ] all depending packages build 1125- [ ] patches have a comment describing either the upstream URL or a reason why the patch wasn't upstreamed 1126- [ ] patches that are remotely available are fetched rather than vendored 1127 1128##### Possible improvements 1129 1130##### Comments 1131``` 1132 1133### New packages 1134 1135New packages are a common type of pull requests. 1136These pull requests consist of adding a new nix-expression for a package. 1137 1138Review process: 1139 1140- Ensure that all file paths [fit the guidelines](../CONTRIBUTING.md#file-naming-and-organisation). 1141- Ensure that the package name and version [fits the guidelines](#package-naming). 1142- Ensure that the package versioning [fits the guidelines](#versioning). 1143- Ensure that the commit text [fits the guidelines](../CONTRIBUTING.md#commit-conventions). 1144- Ensure that the source is fetched from an official location, one of our [trusted mirrors](./build-support/fetchurl/mirrors.nix), or a mirror trusted by the authors. 1145- Ensure that the meta fields [fit the guidelines](#meta-attributes) and contain the correct information: 1146 - License must match the upstream license. 1147 - Platforms should be set (or the package will not get binary substitutes). 1148 - Maintainers must be set. 1149 This can be the package submitter or a community member that accepts taking up maintainership of the package. 1150 - The `meta.mainProgram` must be set if a main executable exists. 1151- Ensure any special packaging choices and required context are documented in, i.e., the name of a patch or in a comment. 1152 - If a special version of a package is pinned, document why, so others know if/when it can be unpinned. 1153 - If any (especially opinionated) patch or `substituteInPlace` is applied, document why. 1154 - If any non-default build flags are set, document why. 1155 - If checks are partially or fully disabled, document why. 1156- Report detected typos. 1157- Ensure the package source: 1158 - Uses `mirror://` URLs when available. 1159 - Uses the most appropriate functions (e.g. packages from GitHub should use `fetchFromGitHub`). 1160- Build the package locally. 1161- Run every binary. 1162 1163Sample template for a new package review is provided below. 1164 1165```markdown 1166##### Reviewed points 1167 1168- [ ] package path fits guidelines 1169- [ ] package name fits guidelines 1170- [ ] package version fits guidelines 1171- [ ] package builds on ARCHITECTURE 1172- [ ] executables tested on ARCHITECTURE 1173- [ ] `meta.description` is set and fits guidelines 1174- [ ] `meta.license` fits upstream license 1175- [ ] `meta.platforms` is set 1176- [ ] `meta.maintainers` is set 1177- [ ] `meta.mainProgram` is set, if applicable. 1178- [ ] build time only dependencies are declared in `nativeBuildInputs` 1179- [ ] source is fetched from an official or trusted location 1180- [ ] source is fetched using the appropriate function 1181- [ ] the motives for any special packaging choices are documented 1182- [ ] the list of `phases` is not overridden 1183- [ ] when a phase (like `installPhase`) is overridden it starts with `runHook preInstall` and ends with `runHook postInstall`. 1184- [ ] patches have a comment describing either the upstream URL or a reason why the patch wasn't upstreamed 1185- [ ] patches that are remotely available are fetched rather than vendored 1186 1187##### Possible improvements 1188 1189##### Comments 1190``` 1191 1192## Security 1193 1194### Submitting security fixes 1195[security-fixes]: #submitting-security-fixes 1196 1197Security fixes are submitted in the same way as other changes and thus the same guidelines apply. 1198 1199- If a new version fixing the vulnerability has been released, update the package; 1200- If the security fix comes in the form of a patch and a CVE is available, then add the patch to the Nixpkgs tree, and apply it to the package. 1201 The name of the patch should be the CVE identifier, so e.g. `CVE-2019-13636.patch`; If a patch is fetched the name needs to be set as well, e.g.: 1202 1203 ```nix 1204 (fetchpatch { 1205 name = "CVE-2019-11068.patch"; 1206 url = "https://gitlab.gnome.org/GNOME/libxslt/commit/e03553605b45c88f0b4b2980adfbbb8f6fca2fd6.patch"; 1207 hash = "sha256-SEKe/8HcW0UBHCfPTTOnpRlzmV2nQPPeL6HOMxBZd14="; 1208 }) 1209 ``` 1210 1211If a security fix applies to both master and a stable release then, similar to regular changes, they are preferably delivered via master first and cherry-picked to the release branch. 1212 1213Critical security fixes may by-pass the staging branches and be delivered directly to release branches such as `master` and `release-*`. 1214 1215### Vulnerability Roundup 1216 1217#### Issues 1218 1219Vulnerable packages in Nixpkgs are managed using issues. 1220Currently opened ones can be found using the following: 1221 1222[github.com/NixOS/nixpkgs/issues?q=is:issue+is:open+"Vulnerability+roundup"](https://github.com/NixOS/nixpkgs/issues?q=is%3Aissue+is%3Aopen+%22Vulnerability+roundup%22) 1223 1224Each issue corresponds to a vulnerable version of a package; as a consequence: 1225 1226- One issue can contain several CVEs; 1227- One CVE can be shared across several issues; 1228- A single package can be concerned by several issues. 1229 1230 1231A "Vulnerability roundup" issue usually respects the following format: 1232 1233```txt 1234<link to relevant package search on search.nix.gsc.io>, <link to relevant files in Nixpkgs on GitHub> 1235 1236<list of related CVEs, their CVSS score, and the impacted NixOS version> 1237 1238<list of the scanned Nixpkgs versions> 1239 1240<list of relevant contributors> 1241``` 1242 1243Note that there can be an extra comment containing links to previously reported (and still open) issues for the same package. 1244 1245 1246#### Triaging and Fixing 1247 1248**Note**: An issue can be a "false positive" (i.e. automatically opened, but without the package it refers to being actually vulnerable). 1249If you find such a "false positive", comment on the issue an explanation of why it falls into this category, linking as much information as necessary to help maintainers double check. 1250 1251If you are investigating a "true positive": 1252 1253- Find the earliest patched version or a code patch in the CVE details; 1254- Is the issue already patched (version up-to-date or patch applied manually) in Nixpkgs's `master` branch? 1255 - **No**: 1256 - [Submit a security fix][security-fixes]; 1257 - Once the fix is merged into `master`, [submit the change to the vulnerable release branch(es)](../CONTRIBUTING.md#how-to-backport-pull-requests); 1258 - **Yes**: [Backport the change to the vulnerable release branch(es)](../CONTRIBUTING.md#how-to-backport-pull-requests). 1259- When the patch has made it into all the relevant branches (`master`, and the vulnerable releases), close the relevant issue(s).