licenses.sspl cannot be used in allowlistedLicenses/blocklistedLicenses or shortName should link to lib.licenses atrrset

[ony]

Describe the bug

Looks like blocklistedLicenses/allowlistedLicenses require referenced licenses shortName to match attribute name of lib.licenses.
This is broken for SSPL license and for some packages that have inline license attrset.

Steps To Reproduce

Steps to reproduce the behavior:

1. Add nixpkgs.config.blocklistedLicenses = [ pkgs.lib.licenses.sspl ]; (can use also allowlistedLicenses) in NixOS global configuration.
2. Try to build configuration.

Expected behavior

• Can build your system unless it references package with license sspl (I guess Mongodb related stuff) and which is referenced in blocklistedLicenses.

• Can reference licenses in-lined in packages . E.g. pkgs.ntp.meta.license (or its direct value)

nixpkgs/pkgs/tools/networking/ntp/default.nix

Lines 33 to 36 in 048fd95

	license = {
	# very close to isc and bsd2
	url = "https://www.eecis.udel.edu/~mills/ntp/html/copyright.html";
	};

Screenshots

error: ‘SSPL’ is not an attribute of lib.licenses

       … while evaluating anonymous lambda

       at /nix/store/9lx5wss5ky22gjfwwr2ia2h6h6f039qb-source/pkgs/stdenv/generic/check-meta.nix:23:20:

           22|   onlyLicenses = list:
           23|     lib.lists.all (license:
             |                    ^
           24|       let l = lib.licenses.${license.shortName or "BROKEN"} or false; in

       … from call site
...
       at /nix/store/9lx5wss5ky22gjfwwr2ia2h6h6f039qb-source/pkgs/stdenv/generic/check-meta.nix:31:14:

           30|     if lib.mutuallyExclusive allowlist blocklist then
           31|       assert onlyLicenses allowlist; assert onlyLicenses blocklist; true
             |              ^
           32|     else

       … while evaluating 'checkValidity'
...
       at /nix/store/9lx5wss5ky22gjfwwr2ia2h6h6f039qb-source/lib/attrsets.nix:369:15:

          368|       inherit name;
          369|       value = f name (catAttrs name sets);
             |               ^
          370|     }) names);

       … while evaluating the attribute 'ssh'

Additional context

This was found out in attempt to use pre-approved list of "safe" open source licenses by adding in blocklistedLicenses all that are not on the list but present in lib.licenses. But sspl have next definition (notice upper case in shortName):

nixpkgs/lib/licenses.nix

Lines 757 to 759 in 048fd95

	sspl = {
	shortName = "SSPL";
	fullName = "Server Side Public License";

In order to fully implement pre-approved "allow list" (different from allowlistedLicenses) it is required to be able to reference licenses that are in package meta but not in lib.licenses.

Notify maintainers

MongoDB maintainers: @bluescreen303 @offline @cstrahan

Metadata

Please run nix-shell -p nix-info --run "nix-info -m" and paste the result.

zsh%  nix run nixpkgs\#nix-info -- -m

• system: "x86_64-linux"
• host os: Linux 5.10.81, NixOS, 21.11 (Porcupine)
• multi-user?: yes
• sandbox: yes
• version: nix-env (Nix) 2.4
• channels(root): "nixos-21.11.334684.1158f346391"
• channels(nikolay): "nixpkgs-unstable-21.11pre310022.14b0f20fa1f"
• nixpkgs: /nix/var/nix/profiles/per-user/root/channels/nixos

[ony]

Why do we even have this restriction in a first place?

nixpkgs/pkgs/stdenv/generic/check-meta.nix

Lines 22 to 27 in c4bb908

	onlyLicenses = list:
	lib.lists.all (license:
	let l = lib.licenses.${license.shortName or "BROKEN"} or false; in
	if license == l then true else
	throw ''‘${showLicense license}’ is not an attribute of lib.licenses''
	) list;

I'm not sure what it solves.

And documentation is silent about side-effect of using in-place license which is that it is not usable in allowlistedLicenses/blocklistedLicenses.

Tracing back to when it was introduced led me to commit from 2015 with sole description "stdenv: take license parameter checks out of mkDerivation path". But original code had no such restrictions:

nixpkgs/pkgs/stdenv/generic/default.nix

Lines 91 to 113 in aca361f

	# Check whether an package has the license set
	licenseCheckable = attr:
	builtins.hasAttr "meta" attrs && builtins.hasAttr "license" attrs.meta;
	# Check whether the license of the package is whitelisted.
	# If the package has no license, print a warning about this and allow the
	# package (return that it is actually whitelisted)
	hasWhitelistedLicense = attrs:
	if licenseCheckable attrs then
	builtins.elem attrs.meta.license whitelistedLicenses
	else
	#builtins.trace "Has no license: ${attrs.name}, allowing installation"
	true;
	# Check whether the license of the package is blacklisted.
	# If the package has no license, print a warning about this and allow the
	# package (return that it is actually not blacklisted)
	hasBlacklistedLicense = attrs:
	if licenseCheckable attrs then
	builtins.elem attrs.meta.license blacklistedLicenses
	else
	#builtins.trace "Has no license: ${attrs.name}, allowing installation"
	false;

(this is roughly what I expected when I tried to use blocklistedLicenses)

Can we remove this restriction?
This will allow to use licenses out of nixpkgs (my attempt to patch lib.licenses with overlay was no successful).

[ncfavier]

@wmertens do you remember why you added this in 0feb19b ?

[wmertens]

Oops I missed this question, sorry. I don't remember, but I expect that I added the check to make sure that all licenses are maintained in the central registry.