stdenv: PURL fetcher introduction

[h0nIg]

#421125 was merged and reverted later, because of regressions.

the background is described here: #421125 (comment)

@wolfgangwalther outlined the conditions and would like to enhance CI - over time. This is a continuous approach, which is in line with packages which have been found to be defunct and which need a fix. There may be more packages which have problems and we would like to prevent further fallout by a feature flag (prevents accessing + inheritance of drv.src / drv.srcs).

packages list: #453322 (comment)
list of real broken packages: #453322 (comment)
broken packages fix (deferrable PR: #457769)

With the old PR + the broken&platform check fix from #453291 + the feature flag, we enable maintainers to gather experience with PURL and set appropriate information (e.g. jq example, where fetchurl is used instead of fetchFromGithub)

nix-repl> xx = (import /my/nixpkgs {config={derivationPURLInheritance = true;};})
nix-repl> xx.python3Packages.boto3.meta.identifiers
{
  cpeParts = { ... };
  possibleCPEs = [ ... ];
  purl = "pkg:github/boto/boto3@1.40.18";
  purlParts = { ... };
  purls = [ ... ];
  v1 = { ... };
}

nix-repl> xx = (import /my/nixpkgs {})
nix-repl> xx.python3Packages.boto3.meta.identifiers
{
  cpeParts = { ... };
  possibleCPEs = [ ... ];
  purlParts = { ... };
  purls = [ ... ];
  v1 = { ... };
}

Things done

• Built on platform:
  • x86_64-linux
  • aarch64-linux
  • x86_64-darwin
  • aarch64-darwin
• Tested, as applicable:
  • NixOS tests in nixos/tests.
  • Package tests at passthru.tests.
  • Tests in lib/tests or pkgs/test for functions and "core" functionality.
• Ran nixpkgs-review on this PR. See nixpkgs-review usage.
• Tested basic functionality of all binary files, usually in ./result/bin/.
• Nixpkgs Release Notes
  • Package update: when the change is major or breaking.
• NixOS Release Notes
  • Module addition: when adding a new NixOS module.
  • Module update: when the change is significant.
• Fits CONTRIBUTING.md, pkgs/README.md, maintainers/README.md and other READMEs.

---

Add a 👍 reaction to pull requests you find important.

[h0nIg]

we need to squash all commits later, just for transparency let's keep the commits separated in order to understand what has been changed.

[raboof]

i demonstrated which data can get extracted with this patch some time ago: #421125 (comment)

Thank you, it's very helpful to have a concrete example to talk about.

As you know (but repeating for new readers), the main current use case for purls is SBOMs, and there are two general techniques for extracting the dependency relationships from nix trees: evaluating the the nix sources 'in nix', and parsing the drvs from the nix store. Both have their downsides: evaluating 'in nix' currently makes some subtrees unreachable due to NixOS/nix#4677 , while parsing drv files misses useful information from the meta fields until something like #420575 or #466932 would happen.

AFAICT "the jury is still out" on which approach we will land on. Until that time, I think we should not yet merge this PR as-is, as its complex/controversial bits (the propagation between meta and src.meta) only seem useful/necessary for the 'in nix' approach. If we'd land on the drv parsing approach, this propagation is not necessary: I made a small PoC showing that at https://codeberg.org/raboof/nix-build-sbom/src/branch/purl-experiment . Of course that PoC is horrible for several reasons, I'm definitely not suggesting anyone should use that directly, but it does show there are approaches where it's possible to derive purls without having the meta propagation - so it might be premature to introduce it.

The introduction of meta.identifiers.purl/meta.identifiers.purls/drv.src.meta.identifiers.v1.purl(s) in this PR seems more directly useful: for example, for python312Packages.pixelmatch we currently infer something like pkg:generic/pixelmatch-py?vcs_url=https://github.com/whtsky/pixelmatch-py.git@v0.3.0 or pkg:github/whtsky/pixelmatch-py@v0.3.0 as purl, while in fact pkgs:pypi/pixelmatch:0.3.0 would be more accurate. I don't think that information can currently be reasonably inferred, and IMHO it would be great if we could encode that knowledge in meta. This would benefit us immediately for nix-eval-based construction of SBOMs, and also for drv-based construction once we land on a way to expose meta to such tools.

(I have not digested the design decisions of that part of this PR, but it seems to me it might help to discuss those changes in isolation in their own PR, which we might be able to merge more quickly?)

[h0nIg]

(I have not digested the design decisions of that part of this PR, but it seems to me it might help to discuss those changes in isolation in their own PR, which we might be able to merge more quickly?)

as agreed in our call together with @raboof, i removed the inheritance and its feature flag

[raboof]

Since the transition to Github Actions we no longer have a CI which performs those checks so this needs to be done manually.

You can see the performance report in the PR summary page: https://github.com/NixOS/nixpkgs/actions/runs/18756048808?pr=454333#summary-53508514968

@wolfgangwalther that link is now dead. This PR was significantly simplified since - would it be possible to do another performance check? How would one do that?

[wolfgangwalther]

would it be possible to do another performance check? How would one do that?

The performance data is available in every CI run. Just click your way to the details page of the CI jobs listed at the bottom of the PR and scroll your way through.

[raboof]

would it be possible to do another performance check? How would one do that?

The performance data is available in every CI run. Just click your way to the details page of the CI jobs listed at the bottom of the PR and scroll your way through.

Gotcha, for the 'Eval Summary' job, so https://github.com/NixOS/nixpkgs/actions/runs/22830597798?pr=454333 - so no noticeable change in speed, and a size increase of 0.05%-0.3%.

[raboof]

Starting to look attractive! Some comments here and there.

[raboof]

"Package URL's shall default to the mkDerivation.src" is no longer true 'in nixpkgs', but consuming tools are expected to make this association (at least for now). That seems like a good start to me.

[h0nIg]

src or srcs is implementation specific, the tool outside should not try to guess which one is the right approach. The interface is drv.meta.identifiers.purl and the implementation (the drv) should define the "where to search". I would like to keep this

[RossComputerGuy]

I am in agreement that we shouldn't push tools to trying to guess. Especially with tools that try to be efficient and can parallelize things, it makes the concurrency more difficult. Imo, it would be great if drv.meta.identifiers.purl defaults to drv.src.meta.identifiers.purl. I know people would be concerned with eval performance.

[raboof]

why is this field named 'spec'? what's the motivation for splitting the 'type' and the rest of the purl like this, over 'just' having a purl string? Are you expecting more fields in the future?

[yyovil]

what if all the PURL components are defined as attrs here? except the schema being a constant "pkg".

[h0nIg]

i splitted them to give it a thin structure overall

spec is the implementation of the definition schema: https://github.com/package-url/purl-spec/tree/18fd3e395dda53c00bc8b11fe481666dc7b3807a/types

[Eveeifyeve]

This looks to good to me, however I would like to see the purl parts be automatically defined by fetchers as well in a followup.