NixOS · matthewbauer · Jul 11, 2018
diff --git a/nixos/modules/hardware/all-firmware.nix b/nixos/modules/hardware/all-firmware.nix
@@ -45,7 +45,7 @@ in {
     })
     (mkIf cfg.enableAllFirmware {
       assertions = [{
-        assertion = !cfg.enableAllFirmware || (config.nixpkgs.config.allowUnfree or false);
+        assertion = !cfg.enableAllFirmware || config.nixpkgs.config.allowUnfree;
         message = ''
           the list of hardware.enableAllFirmware contains non-redistributable licensed firmware files.
             This requires nixpkgs.config.allowUnfree to be true.

diff --git a/pkgs/applications/version-management/git-and-tools/default.nix b/pkgs/applications/version-management/git-and-tools/default.nix
@@ -130,7 +130,7 @@ let
 
   transcrypt = callPackage ./transcrypt { };
 
-} // lib.optionalAttrs (config.allowAliases or true) (with self; {
+} // lib.optionalAttrs config.allowAliases (with self; {
   # aliases
   gitAnnex = git-annex;
   svn_all_fast_export = svn-all-fast-export;

diff --git a/pkgs/desktops/gnome-3/default.nix b/pkgs/desktops/gnome-3/default.nix
@@ -391,7 +391,7 @@ lib.makeScope pkgs.newScope (self: with self; {
 
   gnome-packagekit = callPackage ./misc/gnome-packagekit { };
 
-} // lib.optionalAttrs (config.allowAliases or true) {
+} // lib.optionalAttrs config.allowAliases {
 #### Legacy aliases
 
   evolution_data_server = evolution-data-server; # added 2018-02-25

diff --git a/pkgs/desktops/xfce/default.nix b/pkgs/desktops/xfce/default.nix
@@ -159,7 +159,7 @@ lib.makeScope pkgs.newScope (self: with self; {
 
   xfce4_power_manager_gtk3 = xfce4-power-manager.override { withGtk3 = true; };
 
-} // lib.optionalAttrs (config.allowAliases or true) {
+} // lib.optionalAttrs config.allowAliases {
   #### ALIASES - added 2018-01
 
   terminal = xfce4-terminal;

diff --git a/pkgs/development/interpreters/python/mk-python-derivation.nix b/pkgs/development/interpreters/python/mk-python-derivation.nix
@@ -54,7 +54,7 @@
 
 , passthru ? {}
 
-, doCheck ? config.doCheckByDefault or false
+, doCheck ? config.doCheckByDefault
 
 , ... } @ attrs:
 

diff --git a/pkgs/misc/vim-plugins/default.nix b/pkgs/misc/vim-plugins/default.nix
@@ -3213,7 +3213,7 @@ let
 
   };
 
-} // lib.optionalAttrs (config.allowAliases or true) (with self; {
+} // lib.optionalAttrs config.allowAliases (with self; {
 
   # aliasess
   airline             = vim-airline;

diff --git a/pkgs/stdenv/generic/check-meta.nix b/pkgs/stdenv/generic/check-meta.nix
@@ -4,139 +4,93 @@
 { lib, config, hostPlatform, meta }:
 
 let
-  # See discussion at https://github.com/NixOS/nixpkgs/pull/25304#issuecomment-298385426
-  # for why this defaults to false, but I (@copumpkin) want to default it to true soon.
-  shouldCheckMeta = config.checkMeta or false;
-
-  allowUnfree = config.allowUnfree or false
-    || builtins.getEnv "NIXPKGS_ALLOW_UNFREE" == "1";
-
-  whitelist = config.whitelistedLicenses or [];
-  blacklist = config.blacklistedLicenses or [];
-
-  onlyLicenses = list:
-    lib.lists.all (license:
-      let l = lib.licenses.${license.shortName or "BROKEN"} or false; in
-      if license == l then true else
-        throw ''‘${showLicense license}’ is not an attribute of lib.licenses''
-    ) list;
-
-  areLicenseListsValid =
-    if lib.mutuallyExclusive whitelist blacklist then
-      assert onlyLicenses whitelist; assert onlyLicenses blacklist; true
-    else
-      throw "whitelistedLicenses and blacklistedLicenses are not mutually exclusive.";
-
   hasLicense = attrs:
     attrs ? meta.license;
 
-  hasWhitelistedLicense = assert areLicenseListsValid; attrs:
-    hasLicense attrs && builtins.elem attrs.meta.license whitelist;
-
-  hasBlacklistedLicense = assert areLicenseListsValid; attrs:
-    hasLicense attrs && builtins.elem attrs.meta.license blacklist;
-
-  allowBroken = config.allowBroken or false
-    || builtins.getEnv "NIXPKGS_ALLOW_BROKEN" == "1";
+  hasWhitelistedLicense = attrs:
+    hasLicense attrs &&
+    builtins.elem attrs.meta.license config.whitelistedLicenses;
 
-  allowUnsupportedSystem = config.allowUnsupportedSystem or false
-    || builtins.getEnv "NIXPKGS_ALLOW_UNSUPPORTED_SYSTEM" == "1";
+  hasBlacklistedLicense = attrs:
+    hasLicense attrs &&
+    builtins.elem attrs.meta.license config.blacklistedLicenses;
 
   isUnfree = licenses: lib.lists.any (l:
     !l.free or true || l == "unfree" || l == "unfree-redistributable") licenses;
 
-  # Alow granular checks to allow only some unfree packages
-  # Example:
-  # {pkgs, ...}:
-  # {
-  #   allowUnfree = false;
-  #   allowUnfreePredicate = (x: pkgs.lib.hasPrefix "flashplayer-" x.name);
-  # }
-  allowUnfreePredicate = config.allowUnfreePredicate or (x: false);
-
   # Check whether unfree packages are allowed and if not, whether the
   # package has an unfree license and is not explicitely allowed by the
   # `allowUNfreePredicate` function.
   hasDeniedUnfreeLicense = attrs:
-    !allowUnfree &&
     hasLicense attrs &&
     isUnfree (lib.lists.toList attrs.meta.license) &&
-    !allowUnfreePredicate attrs;
+    !config.allowUnfreePredicate attrs;
 
-  allowInsecureDefaultPredicate = x: builtins.elem x.name (config.permittedInsecurePackages or []);
-  allowInsecurePredicate = x: (config.allowInsecurePredicate or allowInsecureDefaultPredicate) x;
+  pos_str = meta.position or "«unknown-file»";
 
-  hasAllowedInsecure = attrs:
-    (attrs.meta.knownVulnerabilities or []) == [] ||
-    allowInsecurePredicate attrs ||
-    builtins.getEnv "NIXPKGS_ALLOW_INSECURE" == "1";
+  remediation = (let
+    whitelist = str: attrs: ''
 
-  showLicense = license: license.shortName or "unknown";
+        a) For `nixos-rebuild` you can set:
 
-  pos_str = meta.position or "«unknown-file»";
+        { nixpkgs.config.${str}; }
 
-  remediation = {
-    unfree = remediate_whitelist "Unfree";
-    broken = remediate_whitelist "Broken";
-    unsupported = remediate_whitelist "UnsupportedSystem";
-    blacklisted = x: "";
-    insecure = remediate_insecure;
-    unknown-meta = x: "";
-  };
-  remediate_whitelist = allow_attr: attrs:
-    ''
-      a) For `nixos-rebuild` you can set
-        { nixpkgs.config.allow${allow_attr} = true; }
-      in configuration.nix to override this.
-
-      b) For `nix-env`, `nix-build`, `nix-shell` or any other Nix command you can add
-        { allow${allow_attr} = true; }
-      to ~/.config/nixpkgs/config.nix.
-    '';
+           in configuration.nix to override this.
+
+        b) For `nix-env`, `nix-build`, `nix-shell` or any other Nix
+           command you can add:
+
+        { ${str}; }
+
+           to ~/.config/nixpkgs/config.nix.
+      '';
 
-  remediate_insecure = attrs:
-    ''
+    insecure = attrs: ''
 
       Known issues:
-    '' + (lib.concatStrings (map (issue: " - ${issue}\n") attrs.meta.knownVulnerabilities)) + ''
 
-        You can install it anyway by whitelisting this package, using the
-        following methods:
+    '' + (lib.concatStrings (map (issue: " - ${issue}\n")
+                                 attrs.meta.knownVulnerabilities)) + ''
 
-        a) for `nixos-rebuild` you can add ‘${attrs.name or "«name-missing»"}’ to
-           `nixpkgs.config.permittedInsecurePackages` in the configuration.nix,
-           like so:
+        You can install it anyway by whitelisting this package, using
+        the following methods:
+
+        a) for `nixos-rebuild` you can add ‘${attrs.name}’ to
+           `nixpkgs.config.permittedInsecurePackages` in the
+           configuration.nix, like so:
 
              {
                nixpkgs.config.permittedInsecurePackages = [
-                 "${attrs.name or "«name-missing»"}"
+                 "${attrs.name}"
                ];
              }
 
-        b) For `nix-env`, `nix-build`, `nix-shell` or any other Nix command you can add
-        ‘${attrs.name or "«name-missing»"}’ to `permittedInsecurePackages` in
-        ~/.config/nixpkgs/config.nix, like so:
+        b) For `nix-env`, `nix-build`, `nix-shell` or any other Nix
+           command you can add ‘${attrs.name}’ to
+           `permittedInsecurePackages` in
+           ~/.config/nixpkgs/config.nix, like so:
 
              {
                permittedInsecurePackages = [
-                 "${attrs.name or "«name-missing»"}"
+                 "${attrs.name}"
                ];
              }
+    '';
 
-      '';
-
-  handleEvalIssue = attrs: { reason , errormsg ? "" }:
-    let
-      msg = ''
-        Package ‘${attrs.name or "«name-missing»"}’ in ${pos_str} ${errormsg}, refusing to evaluate.
+  in {
+    unfree = whitelist "allowUnfree = true";
+    broken = whitelist "allowBroken = true";
+    unsupported = whitelist "allowUnsupportedSystem = true";
+    inherit insecure;
+  });
 
-      '' + (builtins.getAttr reason remediation) attrs;
+  handleEvalIssue = attrs: { reason , errormsg ? "" }: config.handleEvalIssue ''
 
-      handler = if config ? "handleEvalIssue"
-        then config.handleEvalIssue reason
-        else throw;
-    in handler msg;
+Package ‘${attrs.name or "«name-missing»"}’ in ${pos_str} ${errormsg},
+refusing to evaluate.
 
+${(remediation.${reason} or (_: "")) attrs}
+  '';
 
   metaTypes = with lib.types; rec {
     # These keys are documented
@@ -176,9 +130,12 @@ let
 
   checkMetaAttr = k: v:
     if metaTypes?${k} then
-      if metaTypes.${k}.check v then null else "key '${k}' has a value ${toString v} of an invalid type ${builtins.typeOf v}; expected ${metaTypes.${k}.description}"
+      if metaTypes.${k}.check v then null
+      else "key '${k}' has a value ${toString v} of an invalid type ${builtins.typeOf v}; expected ${metaTypes.${k}.description}"
     else "key '${k}' is unrecognized; expected one of: \n\t      [${lib.concatMapStringsSep ", " (x: "'${x}'") (lib.attrNames metaTypes)}]";
-  checkMeta = meta: if shouldCheckMeta then lib.remove null (lib.mapAttrsToList checkMetaAttr meta) else [];
+  checkMeta = meta: if config.checkMeta
+                    then lib.remove null (lib.mapAttrsToList checkMetaAttr meta)
+                    else [];
 
   checkPlatform = attrs: let
       anyMatch = lib.any (lib.meta.platformMatch hostPlatform);
@@ -192,19 +149,34 @@ let
   # { reason: String; errormsg: String } if it is not valid, where
   # reason is one of "unfree", "blacklisted" or "broken".
   checkValidity = attrs:
-    if hasDeniedUnfreeLicense attrs && !(hasWhitelistedLicense attrs) then
-      { valid = false; reason = "unfree"; errormsg = "has an unfree license (‘${showLicense attrs.meta.license}’)"; }
-    else if hasBlacklistedLicense attrs then
-      { valid = false; reason = "blacklisted"; errormsg = "has a blacklisted license (‘${showLicense attrs.meta.license}’)"; }
-    else if !allowBroken && attrs.meta.broken or false then
-      { valid = false; reason = "broken"; errormsg = "is marked as broken"; }
-    else if !allowUnsupportedSystem && !(checkPlatform attrs) then
-      { valid = false; reason = "unsupported"; errormsg = "is not supported on ‘${hostPlatform.config}’"; }
-    else if !(hasAllowedInsecure attrs) then
-      { valid = false; reason = "insecure"; errormsg = "is marked as insecure"; }
-    else let res = checkMeta (attrs.meta or {}); in if res != [] then
-      { valid = false; reason = "unknown-meta"; errormsg = "has an invalid meta attrset:${lib.concatMapStrings (x: "\n\t - " + x) res}"; }
-    else { valid = true; };
+    if hasDeniedUnfreeLicense attrs && !(hasWhitelistedLicense attrs) then {
+      valid = false;
+      reason = "unfree";
+      errormsg = "has an unfree license (‘${attrs.meta.license.shortName or "unknown"}’)";
+    } else if hasBlacklistedLicense attrs then {
+      valid = false;
+      reason = "blacklisted";
+      errormsg = "has a blacklisted license (‘${attrs.meta.license.shortName or "unknown"}’)";
+    } else if !config.allowBroken && attrs.meta.broken or false then {
+      valid = false;
+      reason = "broken";
+      errormsg = "is marked as broken";
+    } else if !config.allowUnsupportedSystem && !(checkPlatform attrs) then {
+      valid = false;
+      reason = "unsupported";
+      errormsg = "is not supported on ‘${hostPlatform.config}’";
+    } else if !(((attrs.meta.knownVulnerabilities or []) == []) ||
+                 (config.allowInsecurePredicate attrs)) then {
+      valid = false;
+      reason = "insecure";
+      errormsg = "is marked as insecure";
+    } else let res = checkMeta (attrs.meta or {}); in if res != [] then {
+      valid = false;
+      errormsg = ''
+        has an invalid meta attrset:
+          ${lib.concatMapStrings (x: "\n\t - " + x) res}
+      '';
+    } else { valid = true; };
 
   assertValidity = attrs: let
       validity = checkValidity attrs;

diff --git a/pkgs/stdenv/generic/make-derivation.nix b/pkgs/stdenv/generic/make-derivation.nix
@@ -51,11 +51,11 @@ rec {
 
     # TODO(@Ericson2314): Make unconditional / resolve #33599
     # Check phase
-    , doCheck ? config.doCheckByDefault or false
+    , doCheck ? config.doCheckByDefault
 
     # TODO(@Ericson2314): Make unconditional / resolve #33599
     # InstallCheck phase
-    , doInstallCheck ? config.doCheckByDefault or false
+    , doInstallCheck ? config.doCheckByDefault
 
     , # TODO(@Ericson2314): Make always true and remove
       strictDeps ? stdenv.hostPlatform != stdenv.buildPlatform
@@ -272,7 +272,7 @@ rec {
         # Expose the result of the checks for everyone to see.
         } // {
           available = validity.valid
-                   && (if config.checkMetaRecursively or false
+                   && (if config.checkMetaRecursively
                        then lib.all (d: d.meta.available or true) references
                        else true);
         };