[WIP] Add (optional) license white/blacklisting

[matthiasbeyer]

[WIP]

This adds optional white- or blacklisting for licenses from the users configuration as I proposed on the ML.

Please tell me what you guys think about this.

---

(I hope the [ci skip] thing worked here... as this is wip)

[wmertens]

You could use

builtins.elem x xs
    Return true if a value equal to x occurs in the list xs, and false otherwise.

to make this shorter. Not sure if it is better from a memory or speed standpoint though.

[wmertens]

So right now if you want to allow a specific unfree license, you need to set allowUnfree and blacklist all the ones you don't like. Wouldn't it be better to let allowedLicenses be empty by default and work as a whitelist?

[matthiasbeyer]

So, I'm done for today. I would like to hear some more feedback on this and whether this is a good idea or not, before putting effort in history-cleanup.

But now I need some sleep.

---

My idea was not to change the type of the allowUnfree setting at all, to be backwards compatible. Of course, the expected behaviour needs some discussion here! A combination of all three would be nice, where each option as a sane default value, of course.

[wmertens]

Behavior I'd expect:

• allowUnfree* behavior is unchanged
• whitelistedLicenses enables licenses and overrides allowUnfree*, e.g. allow the Oracle one
• blacklistedLicense disables licenses even if they're free, e.g. GPLv3

[matthiasbeyer]

@wmertens Of course, that's what I'd like too, but how should they play together? If I do not allow unfree licenses but whitelist the Oracle one and then blacklist it again... is it allowed or not?

If I both black- and whitelist GPLv3, is it allowed or not?

[bjornfor]

I'm just jumping in here.

"If I both black- and whitelist GPLv3, is it allowed or not?" -> That's a configuration error that can be caught by an assertion (i.e. it's not allowed).

[matthiasbeyer]

"If I both black- and whitelist GPLv3, is it allowed or not?" -> That's a configuration error that can be caught by an assertion (i.e. it's not allowed).

Would be a good idea to do it this way, yes.

[wmertens]

Indeed, assert that blacklist and whitelist are mutually exclusive.
Blacklist gets precedence, then whitelist, then unfree. IMHO ;-)

On Thu Jan 22 2015 at 9:04:26 AM Matthias Beyer notifications@github.com
wrote:

"If I both black- and whitelist GPLv3, is it allowed or not?" -> That's a
configuration error that can be caught by an assertion (i.e. it's not
allowed).

Would be a good idea to do it this way, yes.

—
Reply to this email directly or view it on GitHub
#5892 (comment).

[matthiasbeyer]

I would do it this way:

(Pseudocode ahead!)

if (unfreeAllowed) then
  if (packageBlacklisted? pkg)
    fail
  else install pkg
else # if unfree not allowed
  if (packageWhitelisted? pkg)
    install pkg
  else fail
endif

[wmertens]

Not quite - some companies do not want to use e.g. free GPLv3 software so
they should be able to blacklist free licenses.

On Thu Jan 22 2015 at 12:27:26 PM Matthias Beyer notifications@github.com
wrote:

I would do it this way:

(Pseudocode ahead!)

if (unfreeAllowed) then
if (packageBlacklisted? pkg)
fail
else install pkg
else # if unfree not allowed
if (packageWhitelisted? pkg)
install pkg
else fail
endif

—
Reply to this email directly or view it on GitHub
#5892 (comment).

[matthiasbeyer]

@wmertens look at my latest patch. It does it this way:

if (hasUnallowedUnfreeLicense pkg) && !(hasWhitelistedLicense pkg) then
  fail
else if hasBlacklistedLicense pkg then
  fail
[...]

I will patch hasUnfreeLicense because I consider the name hasUnallowedUnfreeLicense better right now.

[wmertens]

I'd also like to see config.allowedLicenses renamed...

[wmertens]

I'd expect

    if hasBlacklistedLicense attrs then
      throw...
    else if (! hasWhitelistedLicense attrs) and (hasDeniedUnfreeLicense attrs) then
      throw...
    else

[matthiasbeyer]

That's exactly what's implemented right now, isn't it?

The mutual-exclusive check is added as well, of course.

[wmertens]

That semicolon is unneeded (and I'm surprised it even evaluates)

[matthiasbeyer]

I skip the CI.

[wmertens]

You don't test locally? Because I think you didn't define mutEx 😁

[matthiasbeyer]

I don't test locally because I do not want to test after every change. I want to test once, but do it right, after we agreed on the actual default behaviour.

[wmertens]

well the patch looks good to me so start testing 😉

[matthiasbeyer]

@wmertens Okay, can you tell me a way how you'd like this to be tested?

[wmertens]

@matthiasbeyer we don't have unit tests for configuration afaik so simply clone your tree locally and try to evaluate few configurations with packages that have proper and denied licenses...

To evaluate, export NIX_PATH=nixpkgs=...your-tree/ and run nixos-rebuild dry-run -v. Make sure it uses the correct nixpkgs tree.

[matthiasbeyer]

I was able to run nixos-rebuild dry-run -v, but as far as I understand it, this does not actually warn if packages which are already installed have a license which is blacklisted, should it?

---

Edit: I just blacklisted all GPLv2.* licenses, and it does not warn or fail that the linux kernel is installed... so this works only when installing new packages, I guess. Same applies to the normal allowUnfree configuration, right?

[matthiasbeyer]

With GPLv2 blacklisted and a new environment.systemPackages entry for cups, which is GPLv2, the nixos-rebuild dry-run -v actually works, but it should fail, shouldn't it? :-)

[wmertens]

Indeed. The -v shows that it is using your copy of the tree? Start
debugging ;-)

On Fri Jan 23 2015 at 3:38:13 PM Matthias Beyer notifications@github.com
wrote:

With GPLv2 blacklisted and a new environment.systemPackages entry for cups,
which is GPLv2, the nixos-rebuild dry-run -v actually works, but it
should fail, shouldn't it? :-)

—
Reply to this email directly or view it on GitHub
#5892 (comment).

[matthiasbeyer]

Somehow, setting the environment variable did not work.

Doing

nixos-rebuild dry-run -v -I nixpkgs=~/nixpkgs

Fails because the linux kernel has a blacklisted license... yay!

I will do more debugging now...

[wmertens]

I see a spurious ';'. Also, can you squash everything into one commit?

[matthiasbeyer]

I guess the work-in-progress label can be removed.

[wmertens]

Can you remove the trace calls, that will also fix the travis build failure.

[matthiasbeyer]

@wmertens I'd really love to have these kind of notification, as the users can actually see that there are things which can not be filtered.

Why are there packages without a name?

[wmertens]

Well, trace is for debugging, it's not generally used in nixpkgs at this point in time. If you want to let people know which ones are allowed through, implement a disallowEmptyLicense flag 😁.

[wmertens]

You're not using BlacklistedLicense? Shouldn't AllowedLicense be taken out and instead use BlacklistedLicense?

[matthiasbeyer]

Rebased onto latest master as I guess the latest breakage was not caused by my PR...

[wmertens]

Two more things : could you name the attributes in this error message and can you squash again?

[matthiasbeyer]

@wmertens Can you tell me what causes the travis build failure? Is it caused by one of my patches, actually?

[wmertens]

No, master is broken because of the ruby or python work. However the
previous failure was die to name missing on stdenv...

On Sat, Jan 24, 2015, 3:27 PM Matthias Beyer notifications@github.com
wrote:

@wmertens https://github.com/wmertens Can you tell me what causes the
travis build failure? Is it caused by one of my patches, actually?

—
Reply to this email directly or view it on GitHub
#5892 (comment).

[wmertens]

Alright it looks good to merge now but can you squash it into a single commit?

[matthiasbeyer]

I would actually like to keep the "Remove trace calls by outcommenting" commit as seperate commit. If further work needs to be done in this area, one can simply revert this bit and get this going.

If you really want me to squash it I'll do this, though.

[wmertens]

Yes squash please, uncommenting the calls is easy enough.

[wmertens]

Awesome, thanks! You might want to tell the mailing list about it :-)

[edolstra]

This should be lifted out to prevent it from being evaluated on every call to mkDerivation.

[wmertens]

Hmmm should have caught that sorry. @matthiasbeyer feel like tackling this or shall I do that?

[matthiasbeyer]

@wmertens Would be nice if you'd do it, I'm in the exams phase now and don't know how long it would take if I'd do it.

[wmertens]

Done in 0feb19b