add mechanism for handling meta.sourceProvenance attributes
#161098
Conversation
risicle
requested review from
Ericson2314,
matthewbauer,
edolstra,
nbp and
infinisil
as code owners
|
what type will appimages,snaps,flatpaks be, for example chrysalis which we have in nixpkgs. |
|
|
risicle
force-pushed
the
ris-source-provenance
branch
from
f748024
to
07a6ed7
Compare
This comment was marked as outdated.
This comment was marked as outdated.
(this relates to `pkgs/os-specific/linux/microcode`, not this PR)Also: x86_64 processors have microcode, and nearly all of them need microcode updates due to the whole Foreshadow-Meltdown-Spectre fiasco. These microcode updates are not even remotely open source. Nobody not under NDA has much of an idea what the source code would even look like! https://www.kernel.org/doc/html/latest/x86/microcode.html These microcode blobs are definitely Since such a huge portion of the current installed base of CPUs needs these blobs, it will probably drive most nixpkgs/nixos users to just set You might want to consider adding a category
...and a corresponding I further suggest that when rejecting a package due to the presence of Fortunately ARM, MIPS, and PowerPC chips don't need any of this stuff; all they have is chickenbits (and POWER9 actually documents what the chickenbits do!) |
Perhaps - I think the key thing here is that we're starting from a position of having zero packages with their Note from the RFC that at some point I'd like to add a flag that implies that the
I think I don't want to bind it to the word "binary" either - in fact I'm on the fence calling bytecode
Firstly perhaps this is more an indication that I drew the line between code and firmware in the wrong place using the definition of main CPU or peripheral processor. Suggestions for better wording that would classify microcode as firmware welcome. More to the point though, these microcodes are not open source and I'd actually fully expect users who care about transparency to already be barring anything non-open-source from their systems and for these packages' But I'm sure someone's now going to point me to a package that is |
This comment was marked as outdated.
This comment was marked as outdated.
This comment was marked as outdated.
This comment was marked as outdated.
This comment was marked as outdated.
This comment was marked as outdated.
Sure that's what the OSI folks like to think, but as far as how the term actually gets used in the real world, people call all sorts of things "Open Source". Documentation and even encyclopedias that are "Open Source" (guess that means the markdown is available and freely licensed?), icon sets that are "Open Source" (perhaps the SVGs or illustrator files are available and freely licensed?), fonts that are "Open Source". And while some might disapprove of such labelling, it seems far more fitting calling those "Open Source" than calling the products in their final form "binaries". Which we'd effectively be doing if we renamed the attribute to something based on the word "binary". Anyway, I'd really just like to get this to the point where I no longer have to be the implicit umpire of these debates, because there's a limit to how much I care. All I've ever wanted to do is mark packages that just pull in a bunch of
each of which sucked me deeper into the obscure philosophical corners I don't honestly care that much about, and put me in this weird position of being the tsar over decisions. It's absolutely fine if people want to have these discussions, but I really don't think I should be the umpire, because really I just want to be able to mark the obvious cases. It's been over a year. |
This comment was marked as outdated.
This comment was marked as outdated.
My point is that
The first draft of the RFC was a year ago.
This was not meant to be official or part of the spec in any way, I simply thought nobody was going to bother tagging nonfree software's I have really zero interest in credit - I'm trying to explain that I've ended up having to make decisions about all kinds of things where I don't feel I'm the best person to do that.
I think the problem is, though I hate the phrase, "perfect being the enemy of good". I am under no illusion that we're going to create a scheme in its perfect final form before we unleash it to the world. Things can be fixed and iterated upon. We see more than enough tree-wide changes to prove this. I'm mostly interested in getting something that's going to solve the bulk of the problem well enough. I also have enough experience in creating schemas from my OpenStreetMap days to know that you can spend ages coming up with a watertight perfect schema, but what matters in the end is how people actually tag things. It ends up being as much about ergonomics as precise data representation. Codifying the relationship between licenses and provenance feels quite like when people were trying to argue that a scheme must be able to represent a highway with different styles of streetlight on each side. |
This comment was marked as outdated.
This comment was marked as outdated.
This comment was marked as outdated.
This comment was marked as outdated.
That's not what I'm trying to do - it would have been better put:
The changes look good to me, I'll pull them in. FWIW I really do hope things will get refined later on, because I don't think we're likely to get this right first time. |
…omSource This is a suggested implementation of the change recommended in the first paragraph of this comment: NixOS#161098 (comment)
This commit is a suggested implementation of the change recommended here: NixOS#161098 (comment)
This commit clarifies that the meaning of the `meta.sourceProvenance` field is independent of and unaffected by the value of the `meta.license` field. This is based on the intent of the RFC author as expressed here: NixOS#161098 (comment) This clarification is added for two reasons: 1. If in the future there should be some disagreement about what `sourceProvenance` to assign to a package, this may help resolve the disagreement. Any interpretation of `sourceProvenance` which is influenced by the `meta.license` is clearly an incorrect interpretation. 2. If it should turn out that it is impossible to disentangle `sourceProvenance` from `meta.license`, this would indicate the need for changes to the `sourceProvenance` scheme. That change might be as simple as replacing the sentence added by this commit with some other sentence explaining how the two fields influence each other. This commit implements the recommendation made in the paragraph of this comments which begins with "Please say this explicitly...": NixOS#161098 (comment)
risicle
force-pushed
the
ris-source-provenance
branch
from
07a6ed7
to
91d4d64
Compare
This comment was marked as outdated.
This comment was marked as outdated.
|
Hello folks, is there any timeline on merging this? I would like to apologize again for derailing this PR with my comments a few months back. I was not aware of the discussion attached to the (separate) PR for the RFC; this PR links to directly to the rendered RFC so that is what I read. I have hidden all of my comments above in an attempt to fix some of the damage I caused. Over the past months I have become increasingly horrified by the number of nixpkgs expressions which simply download unauditable binaries onto my computer instead. I don't need nix in order to do that. The scope of the problem is pretty shocking, and there isn't even any machine-checkable way to know when it's happening. It is really really bad. I'm starting to feel like I cannot in good conscience recommend nixpkgs to people as a result of this. @risicle, I apologize again. This situation is a total disaster and you seem to be the only one doing anything about it. Thank you for your efforts. The situation with haskell packages is especially bad. Because so much of the haskell infrastructure in nixpkgs is chronically broken it seems that packages like purescript are doing the silent binary download thing simply to keep from being broken when their dependencies break. If nixpkgs committers keep ignoring this problem perhaps we will need to look into some sort of automation hack. Nix already scans the binaries it installs into |
|
Sorry, I've just been busy with other things and now everyone's worrying about the 22.05 release.. |
There was a problem hiding this comment.
Thank you @risicle for driving this. I am very excited to see this in Nixpkgs!
I have added my review, which mostly contains remarks to further my own understanding. Please, feel free to resolve as you see fit (ie. to resolve without changes is OK, too)!
I could test this, and it behaves to my expectation. So, it LGTM!
|
This pull request has been mentioned on NixOS Discourse. There might be relevant details there: https://discourse.nixos.org/t/packages-marked-as-broken-should-come-with-an-explanation/19187/14 |
heavily based on patterns used by licenses infrastructure, so may appear overengineered for its initial level of use
…ges to meta.license This commit clarifies that the meaning of the `meta.sourceProvenance` field is independent of and unaffected by the value of the `meta.license` field. This is based on the intent of the RFC author as expressed here: NixOS#161098 (comment) This clarification is added for two reasons: 1. If in the future there should be some disagreement about what `sourceProvenance` to assign to a package, this may help resolve the disagreement. Any interpretation of `sourceProvenance` which is influenced by the `meta.license` is clearly an incorrect interpretation. 2. If it should turn out that it is impossible to disentangle `sourceProvenance` from `meta.license`, this would indicate the need for changes to the `sourceProvenance` scheme. That change might be as simple as replacing the sentence added by this commit with some other sentence explaining how the two fields influence each other. This commit implements the recommendation made in the paragraph of this comments which begins with "Please say this explicitly...": NixOS#161098 (comment)
strings complicate reasoning about values and may not be needed with `sourceProvenance` Co-authored-by: Alexander Foremny <aforemny@posteo.de>
Co-authored-by: Adam Joseph <54836058+a-m-joseph@users.noreply.github.com>
it may be what the license handling code does, but it's confusing and not very useful Co-authored-by: Adam Joseph <54836058+a-m-joseph@users.noreply.github.com>
Co-authored-by: Alexander Foremny <aforemny@posteo.de>
risicle
force-pushed
the
ris-source-provenance
branch
from
cb610fc
to
d4c9023
Compare
There was a problem hiding this comment.
Thank you @risicle for incorporating all of our comments, and thank you @a-m-joseph in your help reviewing this!
I could re-test the changes here, and the implementation behaves to my expectation.
I am really glad to see this in Nixpkgs!
…ges to meta.license This commit clarifies that the meaning of the `meta.sourceProvenance` field is independent of and unaffected by the value of the `meta.license` field. This is based on the intent of the RFC author as expressed here: #161098 (comment) This clarification is added for two reasons: 1. If in the future there should be some disagreement about what `sourceProvenance` to assign to a package, this may help resolve the disagreement. Any interpretation of `sourceProvenance` which is influenced by the `meta.license` is clearly an incorrect interpretation. 2. If it should turn out that it is impossible to disentangle `sourceProvenance` from `meta.license`, this would indicate the need for changes to the `sourceProvenance` scheme. That change might be as simple as replacing the sentence added by this commit with some other sentence explaining how the two fields influence each other. This commit implements the recommendation made in the paragraph of this comments which begins with "Please say this explicitly...": #161098 (comment)
ghost
mentioned this pull request
Motivation for this change
An attempt at an initial implementation of nixos RFC 89 (https://github.com/NixOS/rfcs/blob/master/rfcs/0089-collect-non-source-package-meta.md)
This is heavily based on patterns used by the
meta.licensesinfrastructure, so may appear overengineered for its initial level of use. I felt it was more important to follow existing patterns than go for simplicity and risk the two features evolving differently.Initially I've only added the four source types mentioned in the RFC.