stdenv: pURL perl implementation

doc/redirects.json

@@ -231,6 +231,9 @@
   "sec-meta-identifiers-cpe": [
     "index.html#sec-meta-identifiers-cpe"
   ],
+  "sec-meta-identifiers-purl": [
+    "index.html#sec-meta-identifiers-purl"
+  ],
   "sec-modify-via-packageOverrides": [
     "index.html#sec-modify-via-packageOverrides"
   ],
@@ -643,6 +646,15 @@
   "var-meta-identifiers-possibleCPEs": [
     "index.html#var-meta-identifiers-possibleCPEs"
   ],
+  "var-meta-identifiers-purl": [
+    "index.html#var-meta-identifiers-purl"
+  ],
+  "var-meta-identifiers-purlParts": [
+    "index.html#var-meta-identifiers-purlParts"
+  ],
+  "var-meta-identifiers-purls": [
+    "index.html#var-meta-identifiers-purls"
+  ],
   "var-meta-teams": [
     "index.html#var-meta-teams"
   ],

doc/release-notes/rl-2511.section.md

@@ -176,6 +176,8 @@
 
 <!-- To avoid merge conflicts, consider adding your item at an arbitrary place in the list instead. -->
 
+- Metadata identifier purl (Package URL, https://github.com/package-url/purl-spec) has been added for fetchgit, fetchpypi and fetchFromGithub fetchers and derivations for Perl, Python, Ruby and Golang derivations have been adjusted to reuse these informations. Package URL's enables a reliable identification and locatization of software packages. Maintainers of derivations using the adopted fetchers should rely on the `drv.src.meta.identifiers.v1.purl` default identifier and can enhance their `drv.meta.identifiers.v1.purls` list once they would like to have additional identifiers. Maintainers using fetchurl for `drv.src` are urged to adopt their `drv.meta.identifiers.purlParts` for proper identification.
+
 - Added `rewriteURL` attribute to the nixpkgs `config`, to allow for rewriting the URLs downloaded by `fetchurl`.
 
 - The `dockerTools.streamLayeredImage` builder now uses a better algorithm for generating layered docker images, such that much more sharing is possible when the number of store paths exceeds the layer limit. It gives each of the largest store paths its own layer and adds dependencies to those layers when they aren't used elsewhere.

doc/stdenv/meta.chapter.md

@@ -319,3 +319,22 @@ A readonly attribute that concatenates all CPE parts in one string.
 #### `meta.identifiers.possibleCPEs` {#var-meta-identifiers-possibleCPEs}
 
 A readonly attribute containing the list of guesses for what CPE for this package can look like. It includes all variants of version handling mentioned above. Each item is an attrset with attributes `cpeParts` and `cpe` for each guess.
+
+### Package URL {#sec-meta-identifiers-purl}
+
+[Package URL](https://github.com/package-url/purl-spec) (pURL) is a specification to reliably identify and locate software packages. Through identification of software packages, additional (non-major) use cases are e.g. software license cross-verification via third party databases or initial vulnerability response management. Package URL's default to the mkDerivation.src, as the original consumed software package is the single point of truth.
+
+#### `meta.identifiers.purlParts` {#var-meta-identifiers-purlParts}
+
+This attribute contains an attribute set of all parts of the pURL for this package.
+
+* `type` mandatory [type](https://github.com/package-url/purl-spec/blob/18fd3e395dda53c00bc8b11fe481666dc7b3807a/docs/standard/summary.md) which needs to be provided
+* `spec` specify the pURL in accordance with the [purl-spec](https://github.com/package-url/purl-spec/blob/18fd3e395dda53c00bc8b11fe481666dc7b3807a/purl-specification.md)
+
+#### `meta.identifiers.purl` {#var-meta-identifiers-purl}
+
+A readonly attribute which is built based on purlParts. It is the main identifier, consumers should consider using the pURL's list interface to be prepared for edge cases.
+
+#### `meta.identifiers.purls` {#var-meta-identifiers-purls}
+
+A readonly attribute list which defaults to a single element equal to the main pURL. It provides an interface for additional identifiers of mkDerivation.src and / or vendored dependencies inside mkDerivation.src, which maintainers can conciously decide to use on top. Identifiers different to the default src identifier are not recommended by default as they might cause maintenance overhead or may diverge (e.g. differences between source distribution pkg:github and binary distribution like pkg:pypi).

maintainers/scripts/nix-generate-from-cpan.pl

@@ -438,7 +438,7 @@ sub sha256_to_sri {
 print STDERR "===\n";
 
 print <<EOF;
-  ${\(is_reserved($attr_name) ? "\"$attr_name\"" : $attr_name)} = $build_fun {
+  ${\(is_reserved($attr_name) ? "\"$attr_name\"" : $attr_name)} = $build_fun rec {
     pname = "$pkg_name";
     version = "$pkg_version";
     src = fetchurl {
@@ -468,6 +468,10 @@ sub sha256_to_sri {
       maintainers = [ maintainers.${\$opt->maintainer} ];
 EOF
 print <<EOF;
+      identifiers.purlParts = {
+        type = "cpan";
+        spec = "${\$module->author->cpanid}/\${pname}@\${version}";
+      };
     };
   };
 EOF

pkgs/build-support/fetchgit/default.nix

@@ -185,7 +185,15 @@ lib.makeOverridable (
             "FETCHGIT_HTTP_PROXIES"
           ];
 
-        inherit preferLocalBuild meta allowedRequisites;
+        inherit preferLocalBuild allowedRequisites;
+
+        meta = meta // {
+          identifiers.purlParts = {
+            type = "generic";
+            # https://github.com/package-url/purl-spec/blob/18fd3e395dda53c00bc8b11fe481666dc7b3807a/types-doc/generic-definition.md
+            spec = "${name}?vcs_url=${url}@${(lib.revOrTag rev tag)}";
+          };
+        };
 
         passthru = {
           gitRepoUrl = url;

pkgs/build-support/fetchgithub/default.nix

@@ -46,11 +46,25 @@ lib.makeOverridable (
       meta
       // {
         homepage = meta.homepage or baseUrl;
+        identifiers.purlParts =
+          if githubBase == "github.com" then
+            {
+              type = "github";
+              # https://github.com/package-url/purl-spec/blob/18fd3e395dda53c00bc8b11fe481666dc7b3807a/types-doc/github-definition.md
+              spec = "${owner}/${repo}@${(lib.revOrTag rev tag)}";
+            }
+          else
+            {
+              type = "generic";
+              # https://github.com/package-url/purl-spec/blob/18fd3e395dda53c00bc8b11fe481666dc7b3807a/types-doc/generic-definition.md
+              spec = "${repo}?vcs_url=https://${githubBase}/${owner}/${repo}@${(lib.revOrTag rev tag)}";
+            };
       }
       // lib.optionalAttrs (position != null) {
         # to indicate where derivation originates, similar to make-derivation.nix's mkDerivation
         position = "${position.file}:${toString position.line}";
       };
+
     passthruAttrs = removeAttrs args [
       "owner"
       "repo"
@@ -153,12 +167,15 @@ lib.makeOverridable (
       // passthruAttrs
       // {
         inherit name;
+      }
+      # fetchurl / fetchzip is not a function, but fetchurlBoot is - ensure that the parameter is accepted and passed through
+      // lib.optionalAttrs (!builtins.isFunction fetcher || (builtins.functionArgs fetcher) ? meta) {
+        meta = newMeta;
       };
   in
 
   fetcher fetcherArgs
   // {
-    meta = newMeta;
     inherit owner repo tag;
     rev = revWithTag;
   }

pkgs/build-support/fetchpypi/default.nix

@@ -51,6 +51,8 @@ makeOverridable (
     format ? "setuptools",
     sha256 ? "",
     hash ? "",
+    pname,
+    version,
     ...
   }@attrs:
   let
@@ -60,8 +62,20 @@ makeOverridable (
         "hash"
       ]
     );
+    meta = {
+      identifiers.purlParts = {
+        type = "pypi";
+        # https://github.com/package-url/purl-spec/blob/18fd3e395dda53c00bc8b11fe481666dc7b3807a/types-doc/pypi-definition.md
+        spec = "${pname}@${version}";
+      };
+    };
   in
   fetchurl {
-    inherit url sha256 hash;
+    inherit
+      url
+      sha256
+      hash
+      meta
+      ;
   }
 )

pkgs/build-support/go/module.nix

@@ -424,6 +424,12 @@ lib.extendMkDerivation {
       meta = {
         # Add default meta information.
         platforms = go.meta.platforms or lib.platforms.all;
+        identifiers = {
+          ${if (finalAttrs.src.meta.identifiers.purl or null) != null then "purl" else null} =
+            finalAttrs.src.meta.identifiers.purl;
+          ${if (finalAttrs.src.meta.identifiers.purls or null) != null then "purls" else null} =
+            finalAttrs.src.meta.identifiers.purls;
+        };
       }
       // meta;
     };

pkgs/by-name/jq/jq/package.nix

@@ -134,5 +134,9 @@ stdenv.mkDerivation (finalAttrs: {
     ];
     platforms = lib.platforms.unix;
     mainProgram = "jq";
+    identifiers.purlParts = {
+      type = "github";
+      spec = "jqlang/jq@jq-${finalAttrs.version}";
+    };
   };
 })

pkgs/by-name/po/popt/package.nix

@@ -49,5 +49,9 @@ stdenv.mkDerivation rec {
     maintainers = with maintainers; [ qyliss ];
     license = licenses.mit;
     platforms = platforms.unix;
+    identifiers.purlParts = {
+      type = "github";
+      spec = "rpm-software-management/popt@popt-${version}-release";
+    };
   };
 }

pkgs/development/interpreters/python/mk-python-derivation.nix

@@ -416,6 +416,12 @@ let
         # default to python's platforms
         platforms = python.meta.platforms;
         isBuildPythonPackage = python.meta.platforms;
+        identifiers = {
+          ${if (attrs.src.meta.identifiers.purl or null) != null then "purl" else null} =
+            attrs.src.meta.identifiers.purl;
+          ${if (attrs.src.meta.identifiers.purls or null) != null then "purls" else null} =
+            attrs.src.meta.identifiers.purls;
+        };
       }
       // meta;
     }

pkgs/development/ruby-modules/gem/default.nix

@@ -300,6 +300,20 @@ lib.makeOverridable (
         platforms = ruby.meta.platforms;
         mainProgram = gemName;
       }
+      // (lib.optionalAttrs (type == "gem") {
+        identifiers.purlParts = {
+          type = "gem";
+          # https://github.com/package-url/purl-spec/blob/18fd3e395dda53c00bc8b11fe481666dc7b3807a/types-doc/gem-definition.md
+          spec = "${gemName}@${version}?platform=${platform}";
+        };
+      })
+      // (lib.optionalAttrs (type == "git") {
+        identifiers = {
+          ${if (src.meta.identifiers.purl or null) != null then "purl" else null} = src.meta.identifiers.purl;
+          ${if (src.meta.identifiers.purls or null) != null then "purls" else null} =
+            src.meta.identifiers.purls;
+        };
+      })
       // meta;
     }
   )

pkgs/stdenv/generic/check-meta.nix

@@ -710,14 +710,27 @@ let
                   cpe = makeCPE guessedParts;
                 }
               ) possibleCPEPartsFuns;
+
+          purlParts = attrs.meta.identifiers.purlParts or { };
+          purl =
+            attrs.meta.identifiers.purl or (
+              if purlParts ? type && purlParts ? spec then "pkg:${purlParts.type}/${purlParts.spec}" else null
+            );
+          purls = attrs.meta.identifiers.purls or (optional (purl != null) purl);
+
           v1 = {
-            inherit cpeParts possibleCPEs;
+            inherit
+              cpeParts
+              possibleCPEs
+              purls
+              ;
             ${if cpe != null then "cpe" else null} = cpe;
+            ${if purl != null then "purl" else null} = purl;
           };
         in
         v1
         // {
-          inherit v1;
+          inherit v1 purlParts;
         };
 
       # Expose the result of the checks for everyone to see.