Is there a Nix-backed way to determine for a given package whether it has been exposed to other source types than sourceTypes.fromSource through its transitive or direct build time dependencies?
This may be relevant for the supply-chain security objective of the meta.sourceProvenance metadata (see [1] for rationale).
[1] Reflections on trusting trust | Communications of the ACM
check-meta should be doing this and in my experience is that propagating as in if any package in your nixos config is forbidden, the entire evaluation fails.
Yes, thanks, but I’m looking for something more flexible than having the evaluation fail completely. Like in the Linux kernel, which will know it’s tainted when I insmod some binary blob, but will still run.
Ideally introspective, so I can do something like isTainted pkgs.foo from a Nix REPL. And technically, a package where non-source code hasn’t been used to build the result but only during a check phase might not be considered as tainted, while it won’t be possible to build it with NIXPKGS_ALLOW_NONSOURCE=0.
I don’t think anything in stdenv prevents that the output is changed in checkPhase, so we would first need to split checkPhase off into a separate derivation to safely to this.
Ok, that’s really kind of bad.
Anyway, thanks for the hints as they really helped me better understand the current status of source provenance control.