From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mp11.migadu.com ([2001:41d0:2:bcc0::]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)) by ms5.migadu.com with LMTPS id Iv6RMFDGAmQeFgEAbAwnHQ (envelope-from ) for ; Sat, 04 Mar 2023 05:17:20 +0100 Received: from aspmx1.migadu.com ([2001:41d0:2:bcc0::]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)) by mp11.migadu.com with LMTPS id wMQxMFDGAmSSBwEA9RJhRA (envelope-from ) for ; Sat, 04 Mar 2023 05:17:20 +0100 Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by aspmx1.migadu.com (Postfix) with ESMTPS id 5F44211372 for ; Sat, 4 Mar 2023 05:17:20 +0100 (CET) Received: from localhost ([::1] helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1pYJKU-00044i-Mx; Fri, 03 Mar 2023 23:17:06 -0500 Received: from eggs.gnu.org ([2001:470:142:3::10]) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1pYJKT-00044a-GA for guix-patches@gnu.org; Fri, 03 Mar 2023 23:17:05 -0500 Received: from debbugs.gnu.org ([209.51.188.43]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.90_1) (envelope-from ) id 1pYJKQ-0007XB-I7; Fri, 03 Mar 2023 23:17:05 -0500 Received: from Debian-debbugs by debbugs.gnu.org with local (Exim 4.84_2) (envelope-from ) id 1pYJKQ-0003C4-3r; Fri, 03 Mar 2023 23:17:02 -0500 X-Loop: help-debbugs@gnu.org Subject: [bug#61950] [PATCH] lint: Add 'copyleft' checker. Resent-From: Antero Mejr Original-Sender: "Debbugs-submit" Resent-CC: ludo@gnu.org, guix-patches@gnu.org Resent-Date: Sat, 04 Mar 2023 04:17:01 +0000 Resent-Message-ID: Resent-Sender: help-debbugs@gnu.org X-GNU-PR-Message: report 61950 X-GNU-PR-Package: guix-patches X-GNU-PR-Keywords: patch To: 61950@debbugs.gnu.org Cc: Antero Mejr , ludo@gnu.org X-Debbugs-Original-To: guix-patches@gnu.org X-Debbugs-Original-Xcc: ludo@gnu.org Received: via spool by submit@debbugs.gnu.org id=B.167790337112207 (code B ref -1); Sat, 04 Mar 2023 04:17:01 +0000 Received: (at submit) by debbugs.gnu.org; 4 Mar 2023 04:16:11 +0000 Received: from localhost ([127.0.0.1]:35058 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1pYJJb-0003Ao-0n for submit@debbugs.gnu.org; Fri, 03 Mar 2023 23:16:11 -0500 Received: from lists.gnu.org ([209.51.188.17]:52080) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1pYJJY-0003Ag-MO for submit@debbugs.gnu.org; Fri, 03 Mar 2023 23:16:09 -0500 Received: from eggs.gnu.org ([2001:470:142:3::10]) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1pYJJY-00041i-Cu for guix-patches@gnu.org; Fri, 03 Mar 2023 23:16:08 -0500 Received: from mout-p-103.mailbox.org ([80.241.56.161]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_CHACHA20_POLY1305:256) (Exim 4.90_1) (envelope-from ) id 1pYJJU-0007PC-H8 for guix-patches@gnu.org; Fri, 03 Mar 2023 23:16:07 -0500 Received: from smtp202.mailbox.org (smtp202.mailbox.org [IPv6:2001:67c:2050:b231:465::202]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange ECDHE (P-384) server-signature RSA-PSS (4096 bits) server-digest SHA256) (No client certificate requested) by mout-p-103.mailbox.org (Postfix) with ESMTPS id 4PTBND0vZmz9sQP for ; Sat, 4 Mar 2023 05:15:56 +0100 (CET) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=mailbox.org; s=mail20150812; t=1677903356; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version: content-transfer-encoding:content-transfer-encoding; bh=0nXYu4npn7VW5aNQ1Vd9At6dxXtPMPd0OoVwQdM4ht0=; b=dOPRh0kRqn/Gib7OlqkM3kwvw8qeWUcwif1f10TfZVQGdcdstsJcAysNz/HcmdPTY6dz+i JgeIZyhQNbDLUY/CGy4fzjhRX26aBl1qF1rYffvduTvSKiGBum4zM7NbLrRrTVALo8ruV/ R9QcFAyi209yK8W8mxrC0p9JGxvc4V9ErXCQ4/LYYIO3+7PaWXJoSGQTjUVKk/Wc07HZvF Rvj5QQghk4WP7ZZ8yOispnfty1DZj2+iey7MEDLET1XpMMjFbnEwhsJpkgFoo+haNMmdQP Rxx4laAO3z1/P1/gZrzZDDSwjY1L/p+ratT87396ExVjgEJoukE4ddtcRIamiA== DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=mailbox.org; s=mail20150812; t=1677903354; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version: content-transfer-encoding:content-transfer-encoding; bh=0nXYu4npn7VW5aNQ1Vd9At6dxXtPMPd0OoVwQdM4ht0=; b=lTnyQh/73SHJc4MULytZIFk/tMTTJFtH3wVFWbQ+O5P3rRoVMeKchgt1tPt1Zy6cSqhkMp /hzqiH4UoKXUdxFLMH5TT4AkF9/W7LEDWPWRdL8n++tk9TJaJ4iQnhG6CmZ2vHN1i6gSbv iylsBlgJcp8szR8SgK0SjLJx5ilVxEptvyIswnw6goWvvcaGg6kHOqTsVrmzrcP4RSS2cz hANxGSzLMbAtAdVGgEh7Hz1glLpOgGv7xVDldF8TwsMlu7rfzyfW/DeJBZ8m7YI+gSAjTi uMW+T5h4qV7kSBYkgwh7XMjbsLrVSCHUTcMcgaaUjJQEHJYqDFYvFg43ebI0xg== Date: Sat, 4 Mar 2023 04:14:58 +0000 Message-Id: <20230304041458.32761-1-antero@mailbox.org> MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-MBO-RS-META: amy8nbiy56ite5t1nwgpz7mdfzjoqh8t X-MBO-RS-ID: de06bfa725a51da6bea X-Rspamd-Queue-Id: 4PTBND0vZmz9sQP Received-SPF: pass client-ip=80.241.56.161; envelope-from=antero@mailbox.org; helo=mout-p-103.mailbox.org X-Spam_score_int: -23 X-Spam_score: -2.4 X-Spam_bar: -- X-Spam_report: (-2.4 / 5.0 requ) BAYES_00=-1.9, DKIM_INVALID=0.1, DKIM_SIGNED=0.1, RCVD_IN_DNSWL_LOW=-0.7, SPF_HELO_NONE=0.001, SPF_PASS=-0.001 autolearn=ham autolearn_force=no X-Spam_action: no action X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list X-BeenThere: guix-patches@gnu.org List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Reply-to: Antero Mejr X-ACL-Warn: , Antero Mejr via Guix-patches From: Antero Mejr via Guix-patches via Errors-To: guix-patches-bounces+larch=yhetil.org@gnu.org Sender: guix-patches-bounces+larch=yhetil.org@gnu.org X-Migadu-Country: US X-Migadu-Flow: FLOW_IN ARC-Seal: i=1; s=key1; d=yhetil.org; t=1677903440; a=rsa-sha256; cv=none; b=YB7MuopJbzgyNdCpKWTJjblA+2RAj7+483/Nxx+p3kLw1pznuP9g79ven8xIEP2Idd0rzx tttnaQaFegtuOQEj32frg/6tmW2ZfydiALJZ7zTz1ohe302c51rkG8XoTSFFyFjUKfwq4v tfwnSsPl+heq8aUoh0EmzD5HQqN0QOVnekwk6p1g3/mH+HffxAxvtXHJ/cy/ofM/6XOfZ/ gS1Q5IeGhNGRxcDa/DHmqWW/32qz5BLadkclRi64rCbOLADbUen7UcZf9ygT8iWMUsTAqx PeonCi9q+7P1QTeZ4yhZcMeU8DRRo95lthl+qZBK4C7AnCweeaXmjYQWY+C4Tg== ARC-Authentication-Results: i=1; aspmx1.migadu.com; dkim=fail ("headers rsa verify failed") header.d=mailbox.org header.s=mail20150812 header.b=dOPRh0kR; dkim=fail ("headers rsa verify failed") header.d=mailbox.org header.s=mail20150812 header.b="lTnyQh/7"; spf=pass (aspmx1.migadu.com: domain of "guix-patches-bounces+larch=yhetil.org@gnu.org" designates 209.51.188.17 as permitted sender) smtp.mailfrom="guix-patches-bounces+larch=yhetil.org@gnu.org"; dmarc=pass (policy=none) header.from=gnu.org ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=yhetil.org; s=key1; t=1677903440; h=from:from:sender:sender:reply-to:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:cc:mime-version:mime-version: content-transfer-encoding:content-transfer-encoding:resent-cc: resent-from:resent-sender:resent-message-id:list-id:list-help: list-unsubscribe:list-subscribe:list-post:dkim-signature; bh=0nXYu4npn7VW5aNQ1Vd9At6dxXtPMPd0OoVwQdM4ht0=; b=U54wTcQ0TTSJPI0wblx0wcNJORGR4bs1Q85kyzmOuKFNt7lkT72wWOoNorejCGbXp8B16J 4YsmLQe504jBZ8gANx4bOHQSv2K1SHkvGKTIasmkK9wL5+QbpQz3jIdeWA6fisgRv+UK14 gv4IOtacmPSXrWKbF0J3gqdrpfYcHvqjmvP14lQmowQGRy7oh5scpxeN1i2HlDn3ynpsl/ UbXitLKXf3M16ibTp9QSGzsSnsx2ox/JEsolL440m/YcAqz+nIzXViOvLhr9OnI0EJ+ouW r6/O1JQTWktJo0g3Zv/P6cD4812Ez4r4F+bZVv579apTP3p3EImz7jmvJanbFg== X-Migadu-Scanner: scn1.migadu.com X-Migadu-Spam-Score: -3.60 X-Spam-Score: -3.60 X-Migadu-Queue-Id: 5F44211372 Authentication-Results: aspmx1.migadu.com; dkim=fail ("headers rsa verify failed") header.d=mailbox.org header.s=mail20150812 header.b=dOPRh0kR; dkim=fail ("headers rsa verify failed") header.d=mailbox.org header.s=mail20150812 header.b="lTnyQh/7"; spf=pass (aspmx1.migadu.com: domain of "guix-patches-bounces+larch=yhetil.org@gnu.org" designates 209.51.188.17 as permitted sender) smtp.mailfrom="guix-patches-bounces+larch=yhetil.org@gnu.org"; dmarc=pass (policy=none) header.from=gnu.org X-TUID: eIVNYsIf/aAm * guix/lint.scm (check-copyleft, input->package, report-copyleft-violation, linking-exception?, copyleft?): New procedures. (%local-checkers): Add 'copyleft' checker. * tests/lint.scm ("copyleft: incompatible copyleft input"): New tests. * doc/guix.texi (Invoking guix lint): Mention it. --- This new linter checks for copyleft license violations, where a copylefted package is linked by a package with an incompatible license. It found 2818 incompatible packages. For example, GNU readline (GPL) is being linked by 71 permissively licensed packages. doc/guix.texi | 4 ++ guix/lint.scm | 109 +++++++++++++++++++++++++++++++++++++++++++++++++ tests/lint.scm | 10 +++++ 3 files changed, 123 insertions(+) diff --git a/doc/guix.texi b/doc/guix.texi index 74658dbc86..be695967a2 100644 --- a/doc/guix.texi +++ b/doc/guix.texi @@ -14723,6 +14723,10 @@ corresponding package. This aims to help migrate from the ``old input style''. @xref{package Reference}, for more information on package inputs and input styles. @xref{Invoking guix style}, on how to migrate to the new style. + +@item copyleft +Warn about packages with permissive licenses that are not compatible with +the copyleft licenses of their dependencies. @end table The general syntax is: diff --git a/guix/lint.scm b/guix/lint.scm index 8e3976171f..30745b0930 100644 --- a/guix/lint.scm +++ b/guix/lint.scm @@ -40,6 +40,7 @@ (define-module (guix lint) #:use-module (guix download) #:use-module (guix ftp-client) #:use-module (guix http-client) + #:use-module (guix licenses) #:use-module (guix packages) #:use-module (guix i18n) #:use-module ((guix gexp) @@ -108,6 +109,7 @@ (define-module (guix lint) check-mirror-url check-github-url check-license + check-copyleft check-vulnerabilities check-for-updates check-formatting @@ -1451,6 +1453,12 @@ (define format (with-store store (do-check store)))) + + +;;; +;;; Package licenses. +;;; + (define (check-license package) "Warn about type errors of the 'license' field of PACKAGE." (match (package-license package) @@ -1462,6 +1470,103 @@ (define (check-license package) (make-warning package (G_ "invalid license field") #:field 'license))))) +(define (copyleft? licenses) + "Check if a list of licenses are copyleft." + (let ((lic (if (list? licenses) licenses (list licenses)))) + (map (lambda (x) + (and (license? x) ;some license fields are not license objects + (member (license-name x) + '("AGPL 1" "AGPL 3" "AGPL 3+" + "CC-BY-SA 2.0" "CC-BY-SA 3.0" "CC-BY-SA 4.0" + "CeCILL" "copyleft-next" + "EUPL 1.1" "EUPL 1.2" + "GPL 1" "GPL 1+" "GPL 2" "GPL 2+" "GPL 3" "GPL 3+" + "Sleepycat")) + #t)) + lic))) + +(define (linking-exception? package) + "Check if a package has a known copyleft linking exception or is not linked." + (and (member (package-name package) + '(;; linking exception + "classpath" "guile" "java-classpathx-servletapi" "icedtea" + "uwsgi" + ;; copyleft but not typically linked + "alsa-utils" "acpi" "acpica" "audit" + "bash" "bash-completion" "bash-minimal" "bash-static" "bc" + "bluez" "binutils" "bison" "btrfs-progs" + "catdoc" "cdparanoia" "colord" "colord-minimal" "coreutils" + "coreutils-minimal" "cpuid" "cpupower" "cryptsetup" + "dbus" "dbus-glib" "diffutils" "dmidecode" "dmraid" "dnsmasq" + "dosfstools" "dpkg" + "ebtables" "edac-utils" "egawk-next" "efibootmgr" "espeak" + "espeak-ng" "ethtool" "eudev" + "fcitx" "ffmpeg" "findutils" "fontforge" + "gawk" "gawk-mpfr" "geoclue" "gettext" "gettext-minimal" + "ghostscript" "git" "git-minimal" "gjs" "gnupg" "gnome-desktop" + "gpart" "gperf" "gpm" "grep" "groff" "gzip" + "hddtemp" "hwinfo" "kbd" "kexec-tools" "kmod" + "less" "lm-sensors" "lzip" + "i2c-tools" "inetutils" "inxi" "inxi-minimal" "iproute2" + "iptables" "iso-codes" + "m4" "make" "mariadb" "mawk" "mcelog" "mdadm" "memtester" + "miscfiles" "modem-manager" "module-init-tools" "mpv" "mysql" + "ndctl" "net-tools" "netcat" "nvme-cli" + "pandoc" "parted" "password-store" "pciutils" "perl" + "pkg-config" "postgresql" "procps" "psmisc" "pulseaudio" + "qemu" "qemu-minimal" "ragel" "rpm" "rsync" + "samba" "sane-backends" "sbc" "scummvm" "sed" + "shared-mime-info" "shepherd" "smartmontools" "socat" + "squashfs-tools" "sysstat" + "tar" "time" "torsocks" + "upower" "usbutils" "util-linux" + "valgrind" "vidstab" "volume-key" + "wget" "which" "wl-clipboard" "yelp" "xclip" + "linux-libre-headers" "gnumach-headers" "hurd-headers" + "gcc" "gcc-toolchain" "gfortran" "clang-toolchain" + "ld-wrapper" "ld.lld-wrapper" "lld-wrapper")) + #t)) + +(define (report-copyleft-violation package input-name) + "Report information about a copyleft license violation." + (make-warning package + (G_ "The license of input ~a is copyleft, but the license \ +of package ~a is permissive.") + (list input-name (package-name package)) + #:field 'license)) + +(define (input->package input) + "Convert a package input into a package if possible." + (if (list? input) + (cadr input) + #f)) + +(define (check-copyleft package) + "Check that PACKAGE does not violate copyleft licenses of its inputs." + ;; Assumes all copyleft licenses are compatible, which is true for now + (let* ((pkg-copyleft (member #t (copyleft? (package-license package))))) + (apply append + (map (lambda (input) + (let ((input-copyleft + ;; if any license is permissive, the input is. + ;; be lenient here to avoid false positives + (not (member #f (copyleft? (package-license input)))))) + (if (and input-copyleft + (not pkg-copyleft) + (not (linking-exception? input))) + (list (report-copyleft-violation package + (package-name input))) + '()))) + (filter package? + (map input->package + (append (package-inputs package) + (package-propagated-inputs package)))))))) + + +;;; +;;; Vulnerabilities and updates. +;;; + (define (current-vulnerabilities*) "Like 'current-vulnerabilities', but return the empty list upon networking or HTTP errors. This allows network-less operation and makes problems with @@ -1885,6 +1990,10 @@ (define %local-checkers (description "Make sure the 'license' field is a \ or a list thereof") (check check-license)) + (lint-checker + (name 'copyleft) + (description "Check for copyleft license violations") + (check check-copyleft)) (lint-checker (name 'optional-tests) (description "Make sure tests are only run when requested") diff --git a/tests/lint.scm b/tests/lint.scm index ce22e2355a..1ae64510b6 100644 --- a/tests/lint.scm +++ b/tests/lint.scm @@ -40,6 +40,7 @@ (define-module (test-lint) #:use-module (guix build-system emacs) #:use-module (guix build-system gnu) #:use-module (guix packages) + #:use-module ((guix licenses) #:prefix license:) #:use-module (guix lint) #:use-module (guix ui) #:use-module (guix swh) @@ -51,6 +52,7 @@ (define-module (test-lint) #:use-module (gnu packages glib) #:use-module (gnu packages pkg-config) #:use-module (gnu packages python-build) + #:use-module (gnu packages readline) #:use-module ((gnu packages bash) #:select (bash bash-minimal)) #:use-module (web uri) #:use-module (web server) @@ -665,6 +667,14 @@ (define hsab (string-append (assoc-ref inputs "hsab") (single-lint-warning-message (check-license (dummy-package "x" (license #f))))) +(test-equal "copyleft: incompatible copyleft input" + "The license of input readline is copyleft, but the license of package x is permissive." + (single-lint-warning-message + (check-copyleft + (dummy-package "x" + (inputs `(("readline" ,readline))) + (license license:bsd-3))))) + (test-equal "home-page: wrong home-page" "invalid value for home page" (let ((pkg (package -- 2.38.1