diff options
Diffstat (limited to 'pkgs/README.md')
-rw-r--r-- | pkgs/README.md | 69 |
1 files changed, 69 insertions, 0 deletions
diff --git a/pkgs/README.md b/pkgs/README.md index 4c736e658f093..8559d9bee0271 100644 --- a/pkgs/README.md +++ b/pkgs/README.md @@ -474,6 +474,53 @@ If you do need to do create this sort of patch file, one way to do so is with gi $ git diff -a > nixpkgs/pkgs/the/package/0001-changes.patch ``` +## Deprecating/removing packages {#submitting-changes-deprecating-packages} + +There is currently no policy when to remove a package. + +Before removing a package, one should try to find a new maintainer or fix smaller issues first. + +### Steps to remove a package from Nixpkgs {#steps-to-remove-a-package-from-nixpkgs} + +We use jbidwatcher as an example for a discontinued project here. + +1. Have Nixpkgs checked out locally and up to date. +1. Create a new branch for your change, e.g. `git checkout -b jbidwatcher` +1. Remove the actual package including its directory, e.g. `git rm -rf pkgs/applications/misc/jbidwatcher` +1. Remove the package from the list of all packages (`pkgs/top-level/all-packages.nix`). +1. Add an alias for the package name in `pkgs/top-level/aliases.nix` (There is also `pkgs/applications/editors/vim/plugins/aliases.nix`. Package sets typically do not have aliases, so we can't add them there.) + + For example in this case: + + ``` + jbidwatcher = throw "jbidwatcher was discontinued in march 2021"; # added 2021-03-15 + ``` + + The throw message should explain in short why the package was removed for users that still have it installed. + +1. Test if the changes introduced any issues by running `nix-env -qaP -f . --show-trace`. It should show the list of packages without errors. +1. Commit the changes. Explain again why the package was removed. If it was declared discontinued upstream, add a link to the source. + + ```ShellSession + $ git add pkgs/applications/misc/jbidwatcher/default.nix pkgs/top-level/all-packages.nix pkgs/top-level/aliases.nix + $ git commit + ``` + + Example commit message: + + ``` + jbidwatcher: remove + + project was discontinued in march 2021. the program does not work anymore because ebay changed the login. + + https://web.archive.org/web/20210315205723/http://www.jbidwatcher.com/ + ``` + +1. Push changes to your GitHub fork with `git push` +1. Create a pull request against Nixpkgs. Mention the package maintainer. + +This is how the pull request looks like in this case: [https://github.com/NixOS/nixpkgs/pull/116470](https://github.com/NixOS/nixpkgs/pull/116470) + ## Testing changes | Package tests {#sec-package-tests} To run the main types of tests locally: @@ -696,3 +743,25 @@ Sample template for a new package review is provided below. ##### Comments ``` + +## (Security) + +### Submitting security fixes {#submitting-changes-submitting-security-fixes} + +Security fixes are submitted in the same way as other changes and thus the same guidelines apply. + +- If a new version fixing the vulnerability has been released, update the package; +- If the security fix comes in the form of a patch and a CVE is available, then add the patch to the Nixpkgs tree, and apply it to the package. + The name of the patch should be the CVE identifier, so e.g. `CVE-2019-13636.patch`; If a patch is fetched the name needs to be set as well, e.g.: + + ```nix + (fetchpatch { + name = "CVE-2019-11068.patch"; + url = "https://gitlab.gnome.org/GNOME/libxslt/commit/e03553605b45c88f0b4b2980adfbbb8f6fca2fd6.patch"; + hash = "sha256-SEKe/8HcW0UBHCfPTTOnpRlzmV2nQPPeL6HOMxBZd14="; + }) + ``` + +If a security fix applies to both master and a stable release then, similar to regular changes, they are preferably delivered via master first and cherry-picked to the release branch. + +Critical security fixes may by-pass the staging branches and be delivered directly to release branches such as `master` and `release-*`. |