doc/contributing/submitting-changes.chapter.md at 23.11-pre · pyrox.dev/nixpkgs

pyrox.dev / nixpkgs
lol
nixpkgs / doc / contributing / submitting-changes.chapter.md
at 23.11-pre 17 kB view raw view rendered
  1# Submitting changes {#chap-submitting-changes}
  2
  3## Making patches {#submitting-changes-making-patches}
  4
  5- Read [Manual (How to write packages for Nix)](https://nixos.org/nixpkgs/manual/).
  6
  7- Fork [the Nixpkgs repository](https://github.com/nixos/nixpkgs/) on GitHub.
  8
  9- Create a branch for your future fix.
 10
 11  - You can make branch from a commit of your local `nixos-version`. That will help you to avoid additional local compilations. Because you will receive packages from binary cache. For example
 12
 13    ```ShellSession
 14    $ nixos-version --hash
 15    0998212
 16    $ git checkout 0998212
 17    $ git checkout -b 'fix/pkg-name-update'
 18    ```
 19
 20  - Please avoid working directly on the `master` branch.
 21
 22- Make commits of logical units.
 23
 24- If you removed pkgs or made some major NixOS changes, write about it in the release notes for the next stable release. For example `nixos/doc/manual/release-notes/rl-2003.xml`.
 25
 26- Check for unnecessary whitespace with `git diff --check` before committing.
 27
 28- Format the commit in a following way:
 29
 30  ```
 31  (pkg-name | nixos/<module>): (from -> to | init at version | refactor | etc)
 32  Additional information.
 33  ```
 34
 35  - Examples:
 36    - `nginx: init at 2.0.1`
 37    - `firefox: 54.0.1 -> 55.0`
 38    - `nixos/hydra: add bazBaz option`
 39    - `nixos/nginx: refactor config generation`
 40
 41- Test your changes. If you work with
 42
 43  - nixpkgs:
 44
 45    - update pkg
 46      - `nix-env -iA pkg-attribute-name -f <path to your local nixpkgs folder>`
 47    - add pkg
 48      - Make sure it’s in `pkgs/top-level/all-packages.nix`
 49      - `nix-env -iA pkg-attribute-name -f <path to your local nixpkgs folder>`
 50    - _If you don’t want to install pkg in you profile_.
 51      - `nix-build -A pkg-attribute-name <path to your local nixpkgs folder>` and check results in the folder `result`. It will appear in the same directory where you did `nix-build`.
 52    - If you installed your package with `nix-env`, you can run `nix-env -e pkg-name` where `pkg-name` is as reported by `nix-env -q` to uninstall it from your system.
 53
 54  - NixOS and its modules:
 55    - You can add new module to your NixOS configuration file (usually it’s `/etc/nixos/configuration.nix`). And do `sudo nixos-rebuild test -I nixpkgs=<path to your local nixpkgs folder> --fast`.
 56
 57- If you have commits `pkg-name: oh, forgot to insert whitespace`: squash commits in this case. Use `git rebase -i`.
 58
 59- [Rebase](https://git-scm.com/book/en/v2/Git-Branching-Rebasing) your branch against current `master`.
 60
 61## Submitting changes {#submitting-changes-submitting-changes}
 62
 63- Push your changes to your fork of nixpkgs.
 64- Create the pull request
 65- Follow [the contribution guidelines](https://github.com/NixOS/nixpkgs/blob/master/CONTRIBUTING.md#submitting-changes).
 66
 67## Submitting security fixes {#submitting-changes-submitting-security-fixes}
 68
 69Security fixes are submitted in the same way as other changes and thus the same guidelines apply.
 70
 71- If a new version fixing the vulnerability has been released, update the package;
 72- If the security fix comes in the form of a patch and a CVE is available, then add the patch to the Nixpkgs tree, and apply it to the package.
 73  The name of the patch should be the CVE identifier, so e.g. `CVE-2019-13636.patch`; If a patch is fetched the name needs to be set as well, e.g.:
 74
 75  ```nix
 76  (fetchpatch {
 77    name = "CVE-2019-11068.patch";
 78    url = "https://gitlab.gnome.org/GNOME/libxslt/commit/e03553605b45c88f0b4b2980adfbbb8f6fca2fd6.patch";
 79    hash = "sha256-SEKe/8HcW0UBHCfPTTOnpRlzmV2nQPPeL6HOMxBZd14=";
 80  })
 81  ```
 82
 83If a security fix applies to both master and a stable release then, similar to regular changes, they are preferably delivered via master first and cherry-picked to the release branch.
 84
 85Critical security fixes may by-pass the staging branches and be delivered directly to release branches such as `master` and `release-*`.
 86
 87## Deprecating/removing packages {#submitting-changes-deprecating-packages}
 88
 89There is currently no policy when to remove a package.
 90
 91Before removing a package, one should try to find a new maintainer or fix smaller issues first.
 92
 93### Steps to remove a package from Nixpkgs {#steps-to-remove-a-package-from-nixpkgs}
 94
 95We use jbidwatcher as an example for a discontinued project here.
 96
 971. Have Nixpkgs checked out locally and up to date.
 981. Create a new branch for your change, e.g. `git checkout -b jbidwatcher`
 991. Remove the actual package including its directory, e.g. `git rm -rf pkgs/applications/misc/jbidwatcher`
1001. Remove the package from the list of all packages (`pkgs/top-level/all-packages.nix`).
1011. Add an alias for the package name in `pkgs/top-level/aliases.nix` (There is also `pkgs/applications/editors/vim/plugins/aliases.nix`. Package sets typically do not have aliases, so we can't add them there.)
102
103    For example in this case:
104
105    ```
106    jbidwatcher = throw "jbidwatcher was discontinued in march 2021"; # added 2021-03-15
107    ```
108
109    The throw message should explain in short why the package was removed for users that still have it installed.
110
1111. Test if the changes introduced any issues by running `nix-env -qaP -f . --show-trace`. It should show the list of packages without errors.
1121. Commit the changes. Explain again why the package was removed. If it was declared discontinued upstream, add a link to the source.
113
114    ```ShellSession
115    $ git add pkgs/applications/misc/jbidwatcher/default.nix pkgs/top-level/all-packages.nix pkgs/top-level/aliases.nix
116    $ git commit
117    ```
118
119    Example commit message:
120
121    ```
122    jbidwatcher: remove
123
124    project was discontinued in march 2021. the program does not work anymore because ebay changed the login.
125
126    https://web.archive.org/web/20210315205723/http://www.jbidwatcher.com/
127    ```
128
1291. Push changes to your GitHub fork with `git push`
1301. Create a pull request against Nixpkgs. Mention the package maintainer.
131
132This is how the pull request looks like in this case: [https://github.com/NixOS/nixpkgs/pull/116470](https://github.com/NixOS/nixpkgs/pull/116470)
133
134## Pull Request Template {#submitting-changes-pull-request-template}
135
136The pull request template helps determine what steps have been made for a contribution so far, and will help guide maintainers on the status of a change. The motivation section of the PR should include any extra details the title does not address and link any existing issues related to the pull request.
137
138When a PR is created, it will be pre-populated with some checkboxes detailed below:
139
140### Tested using sandboxing {#submitting-changes-tested-with-sandbox}
141
142When sandbox builds are enabled, Nix will setup an isolated environment for each build process. It is used to remove further hidden dependencies set by the build environment to improve reproducibility. This includes access to the network during the build outside of `fetch*` functions and files outside the Nix store. Depending on the operating system access to other resources are blocked as well (ex. inter process communication is isolated on Linux); see [sandbox](https://nixos.org/nix/manual/#conf-sandbox) in Nix manual for details.
143
144Sandboxing is not enabled by default in Nix due to a small performance hit on each build. In pull requests for [nixpkgs](https://github.com/NixOS/nixpkgs/) people are asked to test builds with sandboxing enabled (see `Tested using sandboxing` in the pull request template) because in<https://nixos.org/hydra/> sandboxing is also used.
145
146Depending if you use NixOS or other platforms you can use one of the following methods to enable sandboxing **before** building the package:
147
148- **Globally enable sandboxing on NixOS**: add the following to `configuration.nix`
149
150  ```nix
151  nix.useSandbox = true;
152  ```
153
154- **Globally enable sandboxing on non-NixOS platforms**: add the following to: `/etc/nix/nix.conf`
155
156  ```ini
157  sandbox = true
158  ```
159
160### Built on platform(s) {#submitting-changes-platform-diversity}
161
162Many Nix packages are designed to run on multiple platforms. As such, it’s important to let the maintainer know which platforms your changes have been tested on. It’s not always practical to test a change on all platforms, and is not required for a pull request to be merged. Only check the systems you tested the build on in this section.
163
164### Tested via one or more NixOS test(s) if existing and applicable for the change (look inside nixos/tests) {#submitting-changes-nixos-tests}
165
166Packages with automated tests are much more likely to be merged in a timely fashion because it doesn’t require as much manual testing by the maintainer to verify the functionality of the package. If there are existing tests for the package, they should be run to verify your changes do not break the tests. Tests can only be run on Linux. For more details on writing and running tests, see the [section in the NixOS manual](https://nixos.org/nixos/manual/index.html#sec-nixos-tests).
167
168### Tested compilation of all pkgs that depend on this change using `nixpkgs-review` {#submitting-changes-tested-compilation}
169
170If you are updating a package’s version, you can use `nixpkgs-review` to make sure all packages that depend on the updated package still compile correctly. The `nixpkgs-review` utility can look for and build all dependencies either based on uncommitted changes with the `wip` option or specifying a GitHub pull request number.
171
172Review changes from pull request number 12345:
173
174```ShellSession
175nix-shell -p nixpkgs-review --run "nixpkgs-review pr 12345"
176```
177
178Alternatively, with flakes (and analogously for the other commands below):
179
180```ShellSession
181nix run nixpkgs#nixpkgs-review -- pr 12345
182```
183
184Review uncommitted changes:
185
186```ShellSession
187nix-shell -p nixpkgs-review --run "nixpkgs-review wip"
188```
189
190Review changes from last commit:
191
192```ShellSession
193nix-shell -p nixpkgs-review --run "nixpkgs-review rev HEAD"
194```
195
196### Tested execution of all binary files (usually in `./result/bin/`) {#submitting-changes-tested-execution}
197
198It’s important to test any executables generated by a build when you change or create a package in nixpkgs. This can be done by looking in `./result/bin` and running any files in there, or at a minimum, the main executable for the package. For example, if you make a change to texlive, you probably would only check the binaries associated with the change you made rather than testing all of them.
199
200### Meets Nixpkgs contribution standards {#submitting-changes-contribution-standards}
201
202The last checkbox is fits [CONTRIBUTING.md](https://github.com/NixOS/nixpkgs/blob/master/CONTRIBUTING.md). The contributing document has detailed information on standards the Nix community has for commit messages, reviews, licensing of contributions you make to the project, etc... Everyone should read and understand the standards the community has for contributing before submitting a pull request.
203
204## Hotfixing pull requests {#submitting-changes-hotfixing-pull-requests}
205
206- Make the appropriate changes in you branch.
207- Don’t create additional commits, do
208  - `git rebase -i`
209  - `git push --force` to your branch.
210
211## Commit policy {#submitting-changes-commit-policy}
212
213- Commits must be sufficiently tested before being merged, both for the master and staging branches.
214- Hydra builds for master and staging should not be used as testing platform, it’s a build farm for changes that have been already tested.
215- When changing the bootloader installation process, extra care must be taken. Grub installations cannot be rolled back, hence changes may break people’s installations forever. For any non-trivial change to the bootloader please file a PR asking for review, especially from \@edolstra.
216
217```{.graphviz caption="Staging workflow"}
218digraph {
219    "small changes" [shape=none]
220    "mass-rebuilds and other large changes" [shape=none]
221    "critical security fixes" [shape=none]
222    "broken staging-next fixes" [shape=none]
223
224    "small changes" -> master
225    "mass-rebuilds and other large changes" -> staging
226    "critical security fixes" -> master
227    "broken staging-next fixes" -> "staging-next"
228
229    "staging-next" -> master [color="#E85EB0"] [label="stabilization ends"] [fontcolor="#E85EB0"]
230    "staging" -> "staging-next" [color="#E85EB0"] [label="stabilization starts"] [fontcolor="#E85EB0"]
231
232    master -> "staging-next" -> staging [color="#5F5EE8"] [label="every six hours (GitHub Action)"] [fontcolor="#5F5EE8"]
233}
234```
235
236[This GitHub Action](https://github.com/NixOS/nixpkgs/blob/master/.github/workflows/periodic-merge-6h.yml) brings changes from `master` to `staging-next` and from `staging-next` to `staging` every 6 hours; these are the blue arrows in the diagram above.  The purple arrows in the diagram above are done manually and much less frequently.  You can get an idea of how often these merges occur by looking at the git history.
237
238
239### Master branch {#submitting-changes-master-branch}
240
241The `master` branch is the main development branch. It should only see non-breaking commits that do not cause mass rebuilds.
242
243### Staging branch {#submitting-changes-staging-branch}
244
245The `staging` branch is a development branch where mass-rebuilds go. Mass rebuilds are commits that cause rebuilds for many packages, like more than 500 (or perhaps, if it's 'light' packages, 1000). It should only see non-breaking mass-rebuild commits. That means it is not to be used for testing, and changes must have been well tested already. If the branch is already in a broken state, please refrain from adding extra new breakages.
246
247During the process of a releasing a new NixOS version, this branch or the release-critical packages can be restricted to non-breaking changes.
248
249### Staging-next branch {#submitting-changes-staging-next-branch}
250
251The `staging-next` branch is for stabilizing mass-rebuilds submitted to the `staging` branch prior to merging them into `master`. Mass-rebuilds must go via the `staging` branch. It must only see non-breaking commits that are fixing issues blocking it from being merged into the `master` branch.
252
253If the branch is already in a broken state, please refrain from adding extra new breakages. Stabilize it for a few days and then merge into master.
254
255During the process of a releasing a new NixOS version, this branch or the release-critical packages can be restricted to non-breaking changes.
256
257### Stable release branches {#submitting-changes-stable-release-branches}
258
259The same staging workflow applies to stable release branches, but the main branch is called `release-*` instead of `master`.
260
261Example branch names: `release-21.11`, `staging-21.11`, `staging-next-21.11`.
262
263Most changes added to the stable release branches are cherry-picked (“backported”) from the `master` and staging branches.
264
265#### Automatically backporting a Pull Request {#submitting-changes-stable-release-branches-automatic-backports}
266
267Assign label `backport <branch>` (e.g. `backport release-21.11`) to the PR and a backport PR is automatically created after the PR is merged.
268
269#### Manually backporting changes {#submitting-changes-stable-release-branches-manual-backports}
270
271Cherry-pick changes via `git cherry-pick -x <original commit>` so that the original commit id is included in the commit message.
272
273Add a reason for the backport when it is not obvious from the original commit message. You can do this by cherry picking with `git cherry-pick -xe <original commit>`, which allows editing the commit message. This is not needed for minor version updates that include security and bug fixes but don't add new features or when the commit fixes an otherwise broken package.
274
275Here is an example of a cherry-picked commit message with good reason description:
276
277```
278zfs: Keep trying root import until it works
279
280Works around #11003.
281
282(cherry picked from commit 98b213a11041af39b39473906b595290e2a4e2f9)
283
284Reason: several people cannot boot with ZFS on NVMe
285```
286
287Other examples of reasons are:
288
289- Previously the build would fail due to, e.g., `getaddrinfo` not being defined
290- The previous download links were all broken
291- Crash when starting on some X11 systems
292
293#### Acceptable backport criteria {#acceptable-backport-criteria}
294
295The stable branch does have some changes which cannot be backported. Most notable are breaking changes. The desire is to have stable users be uninterrupted when updating packages.
296
297However, many changes are able to be backported, including:
298- New Packages / Modules
299- Security / Patch updates
300- Version updates which include new functionality (but no breaking changes)
301- Services which require a client to be up-to-date regardless. (E.g. `spotify`, `steam`, or `discord`)
302- Security critical applications (E.g. `firefox`)