From 6e180e8e5c890b772c6170b347b7ee4a9ee869f2 Mon Sep 17 00:00:00 2001 From: David McFarland Date: Sun, 8 Dec 2024 22:00:32 -0400 Subject: [PATCH 1/3] dotnet/wrapper: don't inherit meta from unwrapped --- pkgs/development/compilers/dotnet/wrapper.nix | 13 ++++++++++++- 1 file changed, 12 insertions(+), 1 deletion(-) diff --git a/pkgs/development/compilers/dotnet/wrapper.nix b/pkgs/development/compilers/dotnet/wrapper.nix index fe09151fb8fea..90b520519f942 100644 --- a/pkgs/development/compilers/dotnet/wrapper.nix +++ b/pkgs/development/compilers/dotnet/wrapper.nix @@ -22,7 +22,18 @@ type: unwrapped: stdenvNoCC.mkDerivation (finalAttrs: { pname = "${unwrapped.pname}-wrapped"; - inherit (unwrapped) version meta; + inherit (unwrapped) version; + + meta = { + description = "${unwrapped.meta.description or "dotnet"} (wrapper)"; + mainProgram = "dotnet"; + inherit (unwrapped.meta) + homepage + license + maintainers + platforms + ; + }; src = unwrapped; dontUnpack = true; From a5d767c91d7b7d1b3935cdea20ecfd9b762aae2b Mon Sep 17 00:00:00 2001 From: David McFarland Date: Sun, 8 Dec 2024 22:05:47 -0400 Subject: [PATCH 2/3] dotnet/combine-packages: don't inherit meta from cli --- .../development/compilers/dotnet/combine-packages.nix | 11 ++++++++++- 1 file changed, 10 insertions(+), 1 deletion(-) diff --git a/pkgs/development/compilers/dotnet/combine-packages.nix b/pkgs/development/compilers/dotnet/combine-packages.nix index b745a40e878f6..6528fb3d56a1e 100644 --- a/pkgs/development/compilers/dotnet/combine-packages.nix +++ b/pkgs/development/compilers/dotnet/combine-packages.nix @@ -56,5 +56,14 @@ mkWrapper "sdk" (buildEnv { ); }; - inherit (cli) meta; + meta = { + description = "${cli.meta.description or "dotnet"} (combined)"; + inherit (cli.meta) + homepage + license + mainProgram + maintainers + platforms + ; + }; }) From e8df65937267c2bc06bc7c562410fae84f4d7329 Mon Sep 17 00:00:00 2001 From: David McFarland Date: Tue, 10 Dec 2024 15:10:15 -0400 Subject: [PATCH 3/3] dotnet: force evaluation of sdk nuget packages This causes evaluation of the nuget packages to fail when the SDK is insecure, without requiring the individual packages to be permitted. --- .../compilers/dotnet/build-dotnet.nix | 40 ++++++++++++------- 1 file changed, 25 insertions(+), 15 deletions(-) diff --git a/pkgs/development/compilers/dotnet/build-dotnet.nix b/pkgs/development/compilers/dotnet/build-dotnet.nix index ede86ad04eb47..5a7418709aec2 100644 --- a/pkgs/development/compilers/dotnet/build-dotnet.nix +++ b/pkgs/development/compilers/dotnet/build-dotnet.nix @@ -98,7 +98,7 @@ let in mkWrapper type ( - stdenv.mkDerivation rec { + stdenv.mkDerivation (finalAttrs: { inherit pname version; # Some of these dependencies are `dlopen()`ed. @@ -194,19 +194,29 @@ mkWrapper type ( { inherit icu hasILCompiler; } - // lib.optionalAttrs (type == "sdk") { - packages = commonPackages ++ hostPackages.${hostRid} ++ targetPackages.${targetRid}; - inherit targetPackages runtime aspnetcore; - - updateScript = - let - majorVersion = lib.concatStringsSep "." (lib.take 2 (lib.splitVersion version)); - in - [ - ./update.sh - majorVersion - ]; - }; + // lib.optionalAttrs (type == "sdk") ( + let + # force evaluation of the SDK package to ensure evaluation failures + # (e.g. due to vulnerabilities) propagate to the nuget packages + forceSDKEval = builtins.seq finalAttrs.finalPackage.drvPath; + in + { + packages = map forceSDKEval ( + commonPackages ++ hostPackages.${hostRid} ++ targetPackages.${targetRid} + ); + targetPackages = lib.mapAttrs (_: map forceSDKEval) targetPackages; + inherit runtime aspnetcore; + + updateScript = + let + majorVersion = lib.concatStringsSep "." (lib.take 2 (lib.splitVersion version)); + in + [ + ./update.sh + majorVersion + ]; + } + ); meta = with lib; { description = builtins.getAttr type descriptions; @@ -239,5 +249,5 @@ mkWrapper type ( "Dotnet SDK ${version} is EOL, please use 8.0 (LTS) or 9.0 (Current)" ]; }; - } + }) )