Regression on the use of `lib.licensesSpdx`

[kleinreact]

We encountered a regression with the update of 7a5af01 being part of v2.21.0, which already has landed in nixpkgs.

With that update building one of our packages fails due to the license not being available in lib.licensesSpdx:

error:
       … while calling the 'derivationStrict' builtin
         at «nix-internal»/derivation-internal.nix:37:12:
           36|
           37|   strict = derivationStrict drvAttrs;
             |            ^
           38|

       … while evaluating derivation 'GHC-9.10.3'
         whose name attribute is located at «github:NixOS/nixpkgs/a07d4ce6bee67d7c838a8a5796e75dff9caa21ef?narHash=sha256-hQ284SkIeNaeyud%2BLS0WVLX%2BWL2rxcVZLFEaK0e03zg%3D»/pkgs/stdenv/generic/make-derivation.nix:536:13

       … while evaluating attribute 'NIX_GHC' of derivation 'GHC-9.10.3'

       (stack trace truncated; use '--show-trace' to show the full, detailed trace)

       error: attribute '"CERN-OHL-P-2.0"' missing
       at /nix/store/wh3jjprhaidd3znfnjmjvj1q60831zk1-cabal2nix-clash-crypto/default.nix:37:13:
           36|   description = "Cryptographic hardware in Clash";
           37|   license = lib.licensesSpdx."CERN-OHL-P-2.0";
             |             ^
           38| }

The following patch successfully works around the issue and highlights the underlying problem here: the license we use has a proper LicenseId, but is not part of lib.licensesSpdx. This breaks the assumption of 7a5af01 that every LicenseId also has a corresponding counterpart in lib.licensesSpdx.

--- a/src/Distribution/Nixpkgs/Haskell/FromCabal/License.hs
+++ b/src/Distribution/Nixpkgs/Haskell/FromCabal/License.hs
@@ -53,6 +53,7 @@ fromSPDXLicense (SPDX.License expr) =
     SPDX.ELicense simpl Nothing ->
       -- Not handled: license exceptions
       case simpl of
+        SPDX.ELicenseId SPDX.CERN_OHL_P_2_0 -> Unknown (Just $ prettyShow expr)
         SPDX.ELicenseId lid -> Known ("lib.licensesSpdx.\"" ++ prettyShow lid ++ "\"")
         _ ->
           -- Not handed: the '+' suffix and user-defined licences references.

[sternenseemann]

Hm, this is indeed unfortunate. I was under the impression that licensesSpdx contained the entire SPDX license list, but apparently this is not the case (sorry about this, I should have checked!).

The question is what to do about this. We could

• revert this change
• add the missing licenses to Nixpkgs which would require some discussion. In the past, we've added licenses as needed (which was a sensible policy, all in all).
• try to generate what a valid license attribute set on the fly in the expression. I think this would be possible using the data available in Distribution.SPDX, but would have some annoying drawbacks, i.e. I don't think we would be able to link to its actual website (only the SPDX page) and we'd generate a lot of redundant output in Nixpkgs.

To work around this for now, you can likely add an overlay to your Nixpkgs instance that adds the missing license (LMK if you need help with that). Is your package uploaded to Hackage?

cc @jopejoe1

[kleinreact]

To work around this for now, you can likely add an overlay to your Nixpkgs instance that adds the missing license (LMK if you need help with that). Is your package uploaded to Hackage?

Fortunately, the package still is in a development stage and not on hackage yet (cf. clash-crypto).

Using the aforementioned patch should suffice for us as a temporary workaround such that we at least still can use our development shells.

[sternenseemann]

I believe the best solution is probably to switch to https://nixos.org/manual/nixpkgs/stable/#function-library-lib.meta.getLicenseFromSpdxId which has a fallback behavior which would address everyone's concerns.

[sternenseemann]

Can you try whether #708 resolves your problem?

[kleinreact]

Yes, that works, while it now produces the following additional warning compared to 2.20.1:

evaluation warning: getLicenseFromSpdxId: No license matches the given SPDX ID: CERN-OHL-P-2.0

[sternenseemann]

Yes, that is expected. We could prevent this warning from being generated, but it may also be useful. Unsure.

We could in principle render something like

lib.meta.getLicenseFromSpdxIdOr "<id>" { shortName = "<id>"; spdxId = "<id>"; fullName = "<name from cabal>"; }

But this would increase the size of the generated output considerably.

[sternenseemann]

I published cabal2nix 2.21.3 which resolves this (albeit with the warning). LMK whether there are any further problems.