From c1050c581a701b4734aff25be1a73a664b6ccbc4 Mon Sep 17 00:00:00 2001 From: Hans Joachim Kliemeck Date: Sun, 8 Mar 2026 21:18:51 +0000 Subject: [PATCH 1/4] stdenv: PURL fetcher introduction & feature flag --- doc/redirects.json | 12 +++++ doc/release-notes/rl-2605.section.md | 2 + doc/stdenv/meta.chapter.md | 19 +++++++ pkgs/build-support/fetchgit/default.nix | 13 ++++- pkgs/build-support/fetchgithub/default.nix | 16 ++++++ pkgs/build-support/fetchpypi/default.nix | 16 +++++- pkgs/by-name/jq/jq/package.nix | 4 ++ pkgs/by-name/po/popt/package.nix | 4 ++ pkgs/development/ruby-modules/gem/default.nix | 7 +++ pkgs/stdenv/generic/check-meta.nix | 51 ++++++++++++++++++- pkgs/top-level/config.nix | 11 ++++ 11 files changed, 151 insertions(+), 4 deletions(-) diff --git a/doc/redirects.json b/doc/redirects.json index 8f45ed9add20b..41d1f5a9a3e9b 100644 --- a/doc/redirects.json +++ b/doc/redirects.json @@ -412,6 +412,9 @@ "sec-meta-identifiers-cpe": [ "index.html#sec-meta-identifiers-cpe" ], + "sec-meta-identifiers-purl": [ + "index.html#sec-meta-identifiers-purl" + ], "sec-modify-via-packageOverrides": [ "index.html#sec-modify-via-packageOverrides" ], @@ -932,6 +935,15 @@ "var-meta-identifiers-possibleCPEs": [ "index.html#var-meta-identifiers-possibleCPEs" ], + "var-meta-identifiers-purl": [ + "index.html#var-meta-identifiers-purl" + ], + "var-meta-identifiers-purlParts": [ + "index.html#var-meta-identifiers-purlParts" + ], + "var-meta-identifiers-purls": [ + "index.html#var-meta-identifiers-purls" + ], "var-meta-teams": [ "index.html#var-meta-teams" ], diff --git a/doc/release-notes/rl-2605.section.md b/doc/release-notes/rl-2605.section.md index 3b4c274609f84..60f2083988fe2 100644 --- a/doc/release-notes/rl-2605.section.md +++ b/doc/release-notes/rl-2605.section.md @@ -314,6 +314,8 @@ - `linuxPackages.nvidiaPackages` now follows NVIDIA's official release branches by exposing `production`, `new_feature`, and `beta`. The convenience aliases `latest` (newer of `production` and `new_feature`) and `bleeding_edge` (newer of `latest` and `beta`) are provided; note that `beta` now refers strictly to the beta branch. +- Metadata identifier purl (Package URL, https://github.com/package-url/purl-spec) has been added for fetchgit, fetchpypi and fetchFromGithub fetchers and mkDerivation has been adjusted to reuse these informations. Package URL's enables a reliable identification and locatization of software packages. Maintainers of derivations using the adopted fetchers should rely on the `drv.src.meta.identifiers.v1.purl` default identifier and can enhance their `drv.meta.identifiers.v1.purls` list once they would like to have additional identifiers. Maintainers using fetchurl for `drv.src` are urged to adopt their `drv.meta.identifiers.purlParts` for proper identification. Maintainers should check that their `drv.src` / `drv.srcs` either evaluate properly or that they throw an UnsupportedPlatform statement instead of a missing attribute error. The inheritance feature of `drv.src(s).meta.identifiers.purl(s)` for `drv.meta.identifiers.purl(s)` can get activated via `config.allowSrcEvalForDrvMeta`. + - `balatro` now supports the Google Play and Xbox PC versions of the game. Pass the `apk` or `Assets.zip` as `balatro.override { src = "…" }`. - `uptime-kuma` has been updated to v2, which requires an automated migration that can take a few hours. **A backup is highly recommended.** diff --git a/doc/stdenv/meta.chapter.md b/doc/stdenv/meta.chapter.md index 1fac5244af665..d9625462c0233 100644 --- a/doc/stdenv/meta.chapter.md +++ b/doc/stdenv/meta.chapter.md @@ -334,3 +334,22 @@ A readonly attribute that concatenates all CPE parts in one string. #### `meta.identifiers.possibleCPEs` {#var-meta-identifiers-possibleCPEs} A readonly attribute containing the list of guesses for what CPE for this package can look like. It includes all variants of version handling mentioned above. Each item is an attrset with attributes `cpeParts` and `cpe` for each guess. + +### Package URL {#sec-meta-identifiers-purl} + +[Package-URL](https://github.com/package-url/purl-spec) (PURL) is a specification to reliably identify and locate software packages. Through identification of software packages, additional (non-major) use cases are e.g. software license cross-verification via third party databases or initial vulnerability response management. Package URL's shall default to the mkDerivation.src, as the original consumed software package is the single point of truth. The default inheritance must get enabled explicitly through the nixpkgs config parameter `allowSrcEvalForDrvMeta`. + +#### `meta.identifiers.purlParts` {#var-meta-identifiers-purlParts} + +This attribute contains an attribute set of all parts of the PURL for this package. + +* `type` mandatory [type](https://github.com/package-url/purl-spec/blob/18fd3e395dda53c00bc8b11fe481666dc7b3807a/docs/standard/summary.md) which needs to be provided +* `spec` specify the PURL in accordance with the [purl-spec](https://github.com/package-url/purl-spec/blob/18fd3e395dda53c00bc8b11fe481666dc7b3807a/purl-specification.md) + +#### `meta.identifiers.purl` {#var-meta-identifiers-purl} + +An extendable attribute which is built based on purlParts. It is the main identifier, consumers should consider using the PURL's list interface to be prepared for edge cases. + +#### `meta.identifiers.purls` {#var-meta-identifiers-purls} + +An extendable attribute list which defaults to a single element equal to the main PURL. It provides an interface for additional identifiers of mkDerivation.src and / or vendored dependencies inside mkDerivation.src, which maintainers can consciously decide to use on top. Identifiers different to the default src identifier are not recommended by default as they might cause maintenance overhead or may diverge (e.g. differences between source distribution pkg:github and binary distribution like pkg:pypi). diff --git a/pkgs/build-support/fetchgit/default.nix b/pkgs/build-support/fetchgit/default.nix index 5cf447e37a0de..3eb3f412d37d4 100644 --- a/pkgs/build-support/fetchgit/default.nix +++ b/pkgs/build-support/fetchgit/default.nix @@ -251,7 +251,18 @@ lib.makeOverridable ( ${if allowedRequisites != null then "allowedRequisites" else null} = allowedRequisites; }; - inherit preferLocalBuild meta; + inherit preferLocalBuild; + + meta = meta // { + identifiers = { + purlParts = { + type = "generic"; + # https://github.com/package-url/purl-spec/blob/18fd3e395dda53c00bc8b11fe481666dc7b3807a/types-doc/generic-definition.md + spec = "${name}?vcs_url=${url}@${(lib.revOrTag rev tag)}"; + }; + } + // meta.identifiers or { }; + }; env = { NIX_PREFETCH_GIT_CHECKOUT_HOOK = finalAttrs.postCheckout; diff --git a/pkgs/build-support/fetchgithub/default.nix b/pkgs/build-support/fetchgithub/default.nix index e12052e3d15de..1b0a1aa928051 100644 --- a/pkgs/build-support/fetchgithub/default.nix +++ b/pkgs/build-support/fetchgithub/default.nix @@ -89,6 +89,22 @@ decorate ( meta // { homepage = meta.homepage or baseUrl; + identifiers = { + purlParts = + if githubBase == "github.com" then + { + type = "github"; + # https://github.com/package-url/purl-spec/blob/18fd3e395dda53c00bc8b11fe481666dc7b3807a/types-doc/github-definition.md + spec = "${owner}/${repo}@${(lib.revOrTag rev tag)}"; + } + else + { + type = "generic"; + # https://github.com/package-url/purl-spec/blob/18fd3e395dda53c00bc8b11fe481666dc7b3807a/types-doc/generic-definition.md + spec = "${repo}?vcs_url=https://${githubBase}/${owner}/${repo}@${(lib.revOrTag rev tag)}"; + }; + } + // meta.identifiers or { }; } // lib.optionalAttrs (position != null) { # to indicate where derivation originates, similar to make-derivation.nix's mkDerivation diff --git a/pkgs/build-support/fetchpypi/default.nix b/pkgs/build-support/fetchpypi/default.nix index 71530bddff377..453883ac13f2e 100644 --- a/pkgs/build-support/fetchpypi/default.nix +++ b/pkgs/build-support/fetchpypi/default.nix @@ -51,6 +51,8 @@ lib.makeOverridable ( format ? "setuptools", sha256 ? "", hash ? "", + pname, + version, ... }@attrs: let @@ -60,8 +62,20 @@ lib.makeOverridable ( "hash" ] ); + meta = { + identifiers.purlParts = { + type = "pypi"; + # https://github.com/package-url/purl-spec/blob/18fd3e395dda53c00bc8b11fe481666dc7b3807a/types-doc/pypi-definition.md + spec = "${pname}@${version}"; + }; + }; in fetchurl { - inherit url sha256 hash; + inherit + url + sha256 + hash + meta + ; } ) diff --git a/pkgs/by-name/jq/jq/package.nix b/pkgs/by-name/jq/jq/package.nix index 31633d27ba033..70b6bb169fcea 100644 --- a/pkgs/by-name/jq/jq/package.nix +++ b/pkgs/by-name/jq/jq/package.nix @@ -139,5 +139,9 @@ stdenv.mkDerivation (finalAttrs: { ]; platforms = lib.platforms.unix; mainProgram = "jq"; + identifiers.purlParts = { + type = "github"; + spec = "jqlang/jq@jq-${finalAttrs.version}"; + }; }; }) diff --git a/pkgs/by-name/po/popt/package.nix b/pkgs/by-name/po/popt/package.nix index b7e84260c1b2b..abe07f84237b0 100644 --- a/pkgs/by-name/po/popt/package.nix +++ b/pkgs/by-name/po/popt/package.nix @@ -60,5 +60,9 @@ stdenv.mkDerivation (finalAttrs: { maintainers = with lib.maintainers; [ qyliss ]; license = lib.licenses.mit; platforms = lib.platforms.unix; + identifiers.purlParts = { + type = "github"; + spec = "rpm-software-management/popt@popt-${finalAttrs.version}-release"; + }; }; }) diff --git a/pkgs/development/ruby-modules/gem/default.nix b/pkgs/development/ruby-modules/gem/default.nix index a759f10138f38..ba2a5dddcb847 100644 --- a/pkgs/development/ruby-modules/gem/default.nix +++ b/pkgs/development/ruby-modules/gem/default.nix @@ -72,6 +72,13 @@ lib.makeOverridable ( attrs.source.remotes or [ "https://rubygems.org" ] ); inherit (attrs.source) sha256; + meta = { + identifiers.purlParts = { + type = "gem"; + # https://github.com/package-url/purl-spec/blob/18fd3e395dda53c00bc8b11fe481666dc7b3807a/types-doc/gem-definition.md + spec = "${gemName}@${version}?platform=${platform}"; + }; + }; } else if type == "git" then fetchgit { diff --git a/pkgs/stdenv/generic/check-meta.nix b/pkgs/stdenv/generic/check-meta.nix index 91e40c3651275..321ae3151d70c 100644 --- a/pkgs/stdenv/generic/check-meta.nix +++ b/pkgs/stdenv/generic/check-meta.nix @@ -71,6 +71,8 @@ let allowlist = config.allowlistedLicenses or config.whitelistedLicenses or [ ]; blocklist = config.blocklistedLicenses or config.blacklistedLicenses or [ ]; + allowSrcEvalForDrvMeta = config.allowSrcEvalForDrvMeta; + areLicenseListsValid = if mutuallyExclusive allowlist blocklist then true @@ -622,14 +624,59 @@ let cpe = makeCPE guessedParts; } ) possibleCPEPartsFuns; + + evaluateSrc = allowSrcEvalForDrvMeta && !isMarkedBroken attrs && !hasUnsupportedPlatform attrs; + purlParts = attrs.meta.identifiers.purlParts or { }; + purlPartsFormatted = + if purlParts ? type && purlParts ? spec then "pkg:${purlParts.type}/${purlParts.spec}" else null; + + # search for a PURL in the following order: + purl = + # 1) locally set through API + if purlPartsFormatted != null then + purlPartsFormatted + else if !evaluateSrc then + null + else + # 2) locally overwritten through meta.identifiers.purl + (attrs.src.meta.identifiers.purl or null); + + # search for a PURL in the following order: + purls = + # 1) locally overwritten through meta.identifiers.purls (e.g. extension of list) + attrs.meta.identifiers.purls or ( + # 2) locally set through API + if purlPartsFormatted != null then + [ purlPartsFormatted ] + else if !evaluateSrc then + [ ] + else + # 3) src.meta.PURL + (attrs.src.meta.identifiers.purls or ( + # 4) srcs.meta.PURL + if !attrs ? srcs then + [ ] + else if isList attrs.srcs then + concatMap (drv: drv.meta.identifiers.purls or [ ]) attrs.srcs + else + attrs.srcs.meta.identifiers.purls or [ ] + ) + ) + ); + v1 = { - inherit cpeParts possibleCPEs; + inherit + cpeParts + possibleCPEs + purls + ; ${if cpe != null then "cpe" else null} = cpe; + ${if purl != null then "purl" else null} = purl; }; in v1 // { - inherit v1; + inherit v1 purlParts; }; # Expose the result of the checks for everyone to see. diff --git a/pkgs/top-level/config.nix b/pkgs/top-level/config.nix index 526dd41827026..dda112b191285 100644 --- a/pkgs/top-level/config.nix +++ b/pkgs/top-level/config.nix @@ -472,6 +472,17 @@ let }; problems = (import ../stdenv/generic/problems.nix { inherit lib; }).configOptions; + + allowSrcEvalForDrvMeta = mkOption { + type = types.bool; + default = false; + description = '' + Enables evaluation of drv.src or drv.srcs, in order to generate parts of drv.meta. Most of the nixpkgs derivations have a drv.src or drv.srcs which properly evaluate, but there are some corner cases. + + Background: Commonly PURL identifiers are based on the source of software. For example software distributed through github.com can get identified via pkg:github/org/repo. + This feature flag should get activated, once an SBOM tool is in use and where drv.meta.identifiers.purl(s) should inherit the informations from drv.src(s).meta.identifiers.purl(s). + ''; + }; }; in From db85ef47cf7bc92bdba83afd3bfd49ae766ed923 Mon Sep 17 00:00:00 2001 From: Hans Joachim Kliemeck Date: Sun, 8 Mar 2026 21:41:28 +0000 Subject: [PATCH 2/4] stdenv: PURL fetcher introduction --- doc/release-notes/rl-2605.section.md | 2 +- doc/stdenv/meta.chapter.md | 2 +- pkgs/stdenv/generic/check-meta.nix | 28 ++-------------------------- pkgs/top-level/config.nix | 11 ----------- 4 files changed, 4 insertions(+), 39 deletions(-) diff --git a/doc/release-notes/rl-2605.section.md b/doc/release-notes/rl-2605.section.md index 60f2083988fe2..3dd4acd39b834 100644 --- a/doc/release-notes/rl-2605.section.md +++ b/doc/release-notes/rl-2605.section.md @@ -314,7 +314,7 @@ - `linuxPackages.nvidiaPackages` now follows NVIDIA's official release branches by exposing `production`, `new_feature`, and `beta`. The convenience aliases `latest` (newer of `production` and `new_feature`) and `bleeding_edge` (newer of `latest` and `beta`) are provided; note that `beta` now refers strictly to the beta branch. -- Metadata identifier purl (Package URL, https://github.com/package-url/purl-spec) has been added for fetchgit, fetchpypi and fetchFromGithub fetchers and mkDerivation has been adjusted to reuse these informations. Package URL's enables a reliable identification and locatization of software packages. Maintainers of derivations using the adopted fetchers should rely on the `drv.src.meta.identifiers.v1.purl` default identifier and can enhance their `drv.meta.identifiers.v1.purls` list once they would like to have additional identifiers. Maintainers using fetchurl for `drv.src` are urged to adopt their `drv.meta.identifiers.purlParts` for proper identification. Maintainers should check that their `drv.src` / `drv.srcs` either evaluate properly or that they throw an UnsupportedPlatform statement instead of a missing attribute error. The inheritance feature of `drv.src(s).meta.identifiers.purl(s)` for `drv.meta.identifiers.purl(s)` can get activated via `config.allowSrcEvalForDrvMeta`. +- Metadata identifier purl (Package URL, https://github.com/package-url/purl-spec) has been added for fetchgit, fetchpypi and fetchFromGithub fetchers and mkDerivation has been adjusted to reuse these informations. Package URL's enables a reliable identification and locatization of software packages. Maintainers of derivations using the adopted fetchers should rely on the `drv.src.meta.identifiers.v1.purl` default identifier and can enhance their `drv.meta.identifiers.v1.purls` list once they would like to have additional identifiers. Maintainers using fetchurl for `drv.src` are urged to adopt their `drv.meta.identifiers.purlParts` for proper identification. - `balatro` now supports the Google Play and Xbox PC versions of the game. Pass the `apk` or `Assets.zip` as `balatro.override { src = "…" }`. diff --git a/doc/stdenv/meta.chapter.md b/doc/stdenv/meta.chapter.md index d9625462c0233..88ed79597c4af 100644 --- a/doc/stdenv/meta.chapter.md +++ b/doc/stdenv/meta.chapter.md @@ -337,7 +337,7 @@ A readonly attribute containing the list of guesses for what CPE for this packag ### Package URL {#sec-meta-identifiers-purl} -[Package-URL](https://github.com/package-url/purl-spec) (PURL) is a specification to reliably identify and locate software packages. Through identification of software packages, additional (non-major) use cases are e.g. software license cross-verification via third party databases or initial vulnerability response management. Package URL's shall default to the mkDerivation.src, as the original consumed software package is the single point of truth. The default inheritance must get enabled explicitly through the nixpkgs config parameter `allowSrcEvalForDrvMeta`. +[Package-URL](https://github.com/package-url/purl-spec) (PURL) is a specification to reliably identify and locate software packages. Through identification of software packages, additional (non-major) use cases are e.g. software license cross-verification via third party databases or initial vulnerability response management. Package URL's shall default to the mkDerivation.src, as the original consumed software package is the single point of truth. #### `meta.identifiers.purlParts` {#var-meta-identifiers-purlParts} diff --git a/pkgs/stdenv/generic/check-meta.nix b/pkgs/stdenv/generic/check-meta.nix index 321ae3151d70c..62b2abdf5b2f2 100644 --- a/pkgs/stdenv/generic/check-meta.nix +++ b/pkgs/stdenv/generic/check-meta.nix @@ -71,8 +71,6 @@ let allowlist = config.allowlistedLicenses or config.whitelistedLicenses or [ ]; blocklist = config.blocklistedLicenses or config.blacklistedLicenses or [ ]; - allowSrcEvalForDrvMeta = config.allowSrcEvalForDrvMeta; - areLicenseListsValid = if mutuallyExclusive allowlist blocklist then true @@ -625,7 +623,6 @@ let } ) possibleCPEPartsFuns; - evaluateSrc = allowSrcEvalForDrvMeta && !isMarkedBroken attrs && !hasUnsupportedPlatform attrs; purlParts = attrs.meta.identifiers.purlParts or { }; purlPartsFormatted = if purlParts ? type && purlParts ? spec then "pkg:${purlParts.type}/${purlParts.spec}" else null; @@ -633,35 +630,14 @@ let # search for a PURL in the following order: purl = # 1) locally set through API - if purlPartsFormatted != null then - purlPartsFormatted - else if !evaluateSrc then - null - else - # 2) locally overwritten through meta.identifiers.purl - (attrs.src.meta.identifiers.purl or null); + if purlPartsFormatted != null then purlPartsFormatted else null; # search for a PURL in the following order: purls = # 1) locally overwritten through meta.identifiers.purls (e.g. extension of list) attrs.meta.identifiers.purls or ( # 2) locally set through API - if purlPartsFormatted != null then - [ purlPartsFormatted ] - else if !evaluateSrc then - [ ] - else - # 3) src.meta.PURL - (attrs.src.meta.identifiers.purls or ( - # 4) srcs.meta.PURL - if !attrs ? srcs then - [ ] - else if isList attrs.srcs then - concatMap (drv: drv.meta.identifiers.purls or [ ]) attrs.srcs - else - attrs.srcs.meta.identifiers.purls or [ ] - ) - ) + if purlPartsFormatted != null then [ purlPartsFormatted ] else [ ] ); v1 = { diff --git a/pkgs/top-level/config.nix b/pkgs/top-level/config.nix index dda112b191285..526dd41827026 100644 --- a/pkgs/top-level/config.nix +++ b/pkgs/top-level/config.nix @@ -472,17 +472,6 @@ let }; problems = (import ../stdenv/generic/problems.nix { inherit lib; }).configOptions; - - allowSrcEvalForDrvMeta = mkOption { - type = types.bool; - default = false; - description = '' - Enables evaluation of drv.src or drv.srcs, in order to generate parts of drv.meta. Most of the nixpkgs derivations have a drv.src or drv.srcs which properly evaluate, but there are some corner cases. - - Background: Commonly PURL identifiers are based on the source of software. For example software distributed through github.com can get identified via pkg:github/org/repo. - This feature flag should get activated, once an SBOM tool is in use and where drv.meta.identifiers.purl(s) should inherit the informations from drv.src(s).meta.identifiers.purl(s). - ''; - }; }; in From 55ee414bbff1852584a79c28c38c045c7021b4f3 Mon Sep 17 00:00:00 2001 From: Hans Joachim Kliemeck Date: Fri, 17 Apr 2026 18:35:42 +0200 Subject: [PATCH 3/4] stdenv: PURL fetcher introduction - review enhancements Co-authored-by: Valentin Gagarin --- doc/release-notes/rl-2605.section.md | 6 +++++- doc/stdenv/meta.chapter.md | 14 +++++++++++--- 2 files changed, 16 insertions(+), 4 deletions(-) diff --git a/doc/release-notes/rl-2605.section.md b/doc/release-notes/rl-2605.section.md index 3dd4acd39b834..43a822006ae17 100644 --- a/doc/release-notes/rl-2605.section.md +++ b/doc/release-notes/rl-2605.section.md @@ -314,7 +314,11 @@ - `linuxPackages.nvidiaPackages` now follows NVIDIA's official release branches by exposing `production`, `new_feature`, and `beta`. The convenience aliases `latest` (newer of `production` and `new_feature`) and `bleeding_edge` (newer of `latest` and `beta`) are provided; note that `beta` now refers strictly to the beta branch. -- Metadata identifier purl (Package URL, https://github.com/package-url/purl-spec) has been added for fetchgit, fetchpypi and fetchFromGithub fetchers and mkDerivation has been adjusted to reuse these informations. Package URL's enables a reliable identification and locatization of software packages. Maintainers of derivations using the adopted fetchers should rely on the `drv.src.meta.identifiers.v1.purl` default identifier and can enhance their `drv.meta.identifiers.v1.purls` list once they would like to have additional identifiers. Maintainers using fetchurl for `drv.src` are urged to adopt their `drv.meta.identifiers.purlParts` for proper identification. +- Package-URL (PURL, https://github.com/package-url/purl-spec) metadata identifier has been added for `fetchgit`, `fetchpypi` and `fetchFromGithub` fetchers. + `mkDerivation` has been adjusted to reuse this information. + Package-URLs allow reliably identifying and locating software packages. + Maintainers of derivations using the adapted fetchers should rely on the `drv.src.meta.identifiers.v1.purl` default identifier and can enhance their `drv.meta.identifiers.v1.purls` list once they would like to have additional identifiers. + Maintainers using `fetchurl` for `drv.src` are urged to adapt their `drv.meta.identifiers.purlParts` for proper identification. - `balatro` now supports the Google Play and Xbox PC versions of the game. Pass the `apk` or `Assets.zip` as `balatro.override { src = "…" }`. diff --git a/doc/stdenv/meta.chapter.md b/doc/stdenv/meta.chapter.md index 88ed79597c4af..a88683ed37b72 100644 --- a/doc/stdenv/meta.chapter.md +++ b/doc/stdenv/meta.chapter.md @@ -337,7 +337,9 @@ A readonly attribute containing the list of guesses for what CPE for this packag ### Package URL {#sec-meta-identifiers-purl} -[Package-URL](https://github.com/package-url/purl-spec) (PURL) is a specification to reliably identify and locate software packages. Through identification of software packages, additional (non-major) use cases are e.g. software license cross-verification via third party databases or initial vulnerability response management. Package URL's shall default to the mkDerivation.src, as the original consumed software package is the single point of truth. +[Package-URL](https://github.com/package-url/purl-spec) (PURL) is a specification to reliably identify and locate software packages. +Through identification of software packages, additional (non-major) use cases are e.g. software license cross-verification via third party databases or initial vulnerability response management. +Package-URLs shall default to the `mkDerivation.src`, as the original consumed software package is the single source of truth. #### `meta.identifiers.purlParts` {#var-meta-identifiers-purlParts} @@ -348,8 +350,14 @@ This attribute contains an attribute set of all parts of the PURL for this packa #### `meta.identifiers.purl` {#var-meta-identifiers-purl} -An extendable attribute which is built based on purlParts. It is the main identifier, consumers should consider using the PURL's list interface to be prepared for edge cases. +An extendable attribute which is built based on `purlParts`. +This is the main identifier of the software package. +For handling edge cases, consider using the list interface [`meta.identifiers.purls`](#var-meta-identifiers-purls). #### `meta.identifiers.purls` {#var-meta-identifiers-purls} -An extendable attribute list which defaults to a single element equal to the main PURL. It provides an interface for additional identifiers of mkDerivation.src and / or vendored dependencies inside mkDerivation.src, which maintainers can consciously decide to use on top. Identifiers different to the default src identifier are not recommended by default as they might cause maintenance overhead or may diverge (e.g. differences between source distribution pkg:github and binary distribution like pkg:pypi). +An extendable list attribute which defaults to a single element equal to [`meta.identifiers.purl`](#var-meta-identifiers-purl). +It provides an interface for additional identifiers of `mkDerivation.src` or for identifiers of vendored dependencies inside `mkDerivation.src`, which maintainers may carefully consider to specify as well. + +Additional identifiers are generally not recommended, as they might cause maintenance overhead or diverge. +For example, a source distribution `pkg:github` may be hard to keep correctly aligned with the corresponding binary distribution `pkg:pypi`. From 46cc4b59e53bb7acb5800aca0e181a7640f083cc Mon Sep 17 00:00:00 2001 From: Arnout Engelen Date: Tue, 26 May 2026 20:22:31 +0200 Subject: [PATCH 4/4] docs: move the Package-URL news item to 26.11 --- doc/release-notes/rl-2605.section.md | 6 ------ doc/release-notes/rl-2611.section.md | 6 +++++- 2 files changed, 5 insertions(+), 7 deletions(-) diff --git a/doc/release-notes/rl-2605.section.md b/doc/release-notes/rl-2605.section.md index 43a822006ae17..3b4c274609f84 100644 --- a/doc/release-notes/rl-2605.section.md +++ b/doc/release-notes/rl-2605.section.md @@ -314,12 +314,6 @@ - `linuxPackages.nvidiaPackages` now follows NVIDIA's official release branches by exposing `production`, `new_feature`, and `beta`. The convenience aliases `latest` (newer of `production` and `new_feature`) and `bleeding_edge` (newer of `latest` and `beta`) are provided; note that `beta` now refers strictly to the beta branch. -- Package-URL (PURL, https://github.com/package-url/purl-spec) metadata identifier has been added for `fetchgit`, `fetchpypi` and `fetchFromGithub` fetchers. - `mkDerivation` has been adjusted to reuse this information. - Package-URLs allow reliably identifying and locating software packages. - Maintainers of derivations using the adapted fetchers should rely on the `drv.src.meta.identifiers.v1.purl` default identifier and can enhance their `drv.meta.identifiers.v1.purls` list once they would like to have additional identifiers. - Maintainers using `fetchurl` for `drv.src` are urged to adapt their `drv.meta.identifiers.purlParts` for proper identification. - - `balatro` now supports the Google Play and Xbox PC versions of the game. Pass the `apk` or `Assets.zip` as `balatro.override { src = "…" }`. - `uptime-kuma` has been updated to v2, which requires an automated migration that can take a few hours. **A backup is highly recommended.** diff --git a/doc/release-notes/rl-2611.section.md b/doc/release-notes/rl-2611.section.md index ed4f8a8240f36..5a25672b31d6b 100644 --- a/doc/release-notes/rl-2611.section.md +++ b/doc/release-notes/rl-2611.section.md @@ -16,7 +16,11 @@ -- Create the first release note entry in this section! +- Package-URL (PURL, https://github.com/package-url/purl-spec) metadata identifier has been added for `fetchgit`, `fetchpypi` and `fetchFromGithub` fetchers. + `mkDerivation` has been adjusted to reuse this information. + Package-URLs allow reliably identifying and locating software packages. + Maintainers of derivations using the adapted fetchers should rely on the `drv.src.meta.identifiers.v1.purl` default identifier and can enhance their `drv.meta.identifiers.v1.purls` list once they would like to have additional identifiers. + Maintainers using `fetchurl` for `drv.src` are urged to adapt their `drv.meta.identifiers.purlParts` for proper identification. ## Nixpkgs Library {#sec-nixpkgs-release-26.11-lib}