Fail haskell build package on white/black-listed licenses

anpryl · January 19, 2021, 8:48pm

I’m trying to ensure that my project do not use specific licenses.
Here is pinned nixpkgs in my project, I’m trying to test package filtering with whitelistedLicenses configuration:

let
  fetchNixpkgs =
    rev:
    builtins.fetchTarball "https://github.com/NixOS/nixpkgs/archive/${rev}.tar.gz";

  importNixpkgs =
    rev:
    let
      pkgsSrc = fetchNixpkgs rev;
      lib = import "${pkgsSrc}/lib";
    in
    import pkgsSrc {
      config = {
        allowBroken = true;
        checkMeta = true;
        whitelistedLicenses = with lib.licenses; [ agpl3Only ];
      };
    };

  pkgs = importNixpkgs "3821543de7ec3f9a19bdbd7ec0bfd98b9b3253f3";

If I understand correctly it should fail because whitelistedLicenses should allow only agpl3Only license packages. But build doesn’t fail.
Is there is a way to ensure that my project doesn’t use any GPL-based licenses?

jtojnar · January 19, 2021, 9:31pm

The whitelistedLicenses attribute is somewhat confusingly named. It actually only serves as a list of exceptions to unfree licenses, not a true whitelist:

github.com

NixOS/nixpkgs/blob/1ca55e5c3b08be8cedd226421df8424ce63e4a3a/pkgs/stdenv/generic/check-meta.nix#L280-L281


      
          // (if hasDeniedUnfreeLicense attrs && !(hasWhitelistedLicense attrs) then
            { valid = false; reason = "unfree"; errormsg = "has an unfree license (‘${showLicense attrs.meta.license}’)"; }

That is, when a package’s meta.license contains a license considered unfree and also contains a (possibly different) license from whitelistedLicenses, the package will not be considered unfree. 🤷‍♀

You could probably achieve what you want by adding all licenses from lib.licenses except for agpl3Only to blacklistedLicenses.

But I do not see how allowing only that specific license will work. I doubt there are any AGPL 3.0 only packages that do not depend on anything. Even GNU Make, which is part of build closure of almost everything, is GPL 3 or later.

anpryl · January 20, 2021, 7:59am

Thank you for reply. Really whitelist is confusing.
My example also is confusing a little bit. It was just for testing.
Thank you very much for response!

anpryl · January 20, 2021, 8:20am

I tried to find out which haskell packages has licenses:

$ ag gpl | grep haskell | grep license | awk '{ print $4;}' | sort | uniq
"AGPL";
"BSD-3-Clause
"GPL";
"GPL-2.0-or-later
"GPL-3.0-or-later
"LGPL";
stdenv.lib.licenses.agpl3;
stdenv.lib.licenses.agpl3Plus;
stdenv.lib.licenses.gpl2;
stdenv.lib.licenses.gpl2Plus;
stdenv.lib.licenses.gpl3;
stdenv.lib.licenses.gpl3Plus;
stdenv.lib.licenses.lgpl2;
stdenv.lib.licenses.lgpl21;
stdenv.lib.licenses.lgpl21Plus;
stdenv.lib.licenses.lgpl3;

It is strange to see some licenses as strings, for example: “AGPL”.
blacklistedLicenses can’t accept strings, is it possible to handle such cases and blacklist “AGPL”?

jtojnar · January 20, 2021, 9:04am

Hmm, looks like the packages either did not use SPDX identifier so they could not be matched to a license attrset (AGPL example), or different parts of the project are distributed under different license (AND example). The first should be fixed per-project on Hackage; the latter Nix actually supports (list in meta.license has AND/intersection semantics) but cabal2nix does not handle them at the moment.

Of course string licenses are still supported, as are ad-hoc licenses not listed in lib/license.nix, so we should probably remove the restrictions in check-meta.nix.

Feel free to open issue or pull request for any of those problems. Or if you just want to move on, you can use the fact that Nix is a programming language and traverse the dependency tree and do the checks yourself.

anpryl · January 21, 2021, 6:13pm

Thank you for your help!

ср, 20 янв. 2021 г., 11:14 Jan Tojnar via NixOS Discourse <nixos1@discoursemail.com>: