Transitive source provenance / tainting

Is there a Nix-backed way to determine for a given package whether it has been exposed to other source types than sourceTypes.fromSource through its transitive or direct build time dependencies?

This may be relevant for the supply-chain security objective of the meta.sourceProvenance metadata (see [1] for rationale).

[1] Reflections on trusting trust | Communications of the ACM

check-meta should be doing this and in my experience is that propagating as in if any package in your nixos config is forbidden, the entire evaluation fails.

1 Like

Yes, thanks, but I’m looking for something more flexible than having the evaluation fail completely. Like in the Linux kernel, which will know it’s tainted when I insmod some binary blob, but will still run.

Ideally introspective, so I can do something like isTainted from a Nix REPL. And technically, a package where non-source code hasn’t been used to build the result but only during a check phase might not be considered as tainted, while it won’t be possible to build it with NIXPKGS_ALLOW_NONSOURCE=0.

I don’t think anything in stdenv prevents that the output is changed in checkPhase, so we would first need to split checkPhase off into a separate derivation to safely to this.

1 Like

Ok, that’s really kind of bad.

Anyway, thanks for the hints as they really helped me better understand the current status of source provenance control.