Record subset of meta in provenance

RossComputerGuy · RossComputerGuy · commit ee14c7c19a57 · 2026-02-10T12:28:25.000-08:00
diff --git a/src/libexpr/include/nix/expr/meson.build b/src/libexpr/include/nix/expr/meson.build
@@ -30,6 +30,7 @@ headers = [ config_pub_h ] + files(
   'print-ambiguous.hh',
   'print-options.hh',
   'print.hh',
+  'provenance.hh',
   'repl-exit-status.hh',
   'search-path.hh',
   'static-string-data.hh',
diff --git a/src/libexpr/include/nix/expr/provenance.hh b/src/libexpr/include/nix/expr/provenance.hh
@@ -0,0 +1,23 @@
+#pragma once
+
+#include "nix/util/provenance.hh"
+
+namespace nix {
+
+/**
+ * Provenance indicating that this store path was instantiated by the `derivation` builtin function. Its main purpose is
+ * to record `meta` fields.
+ */
+struct MetaProvenance : Provenance
+{
+    std::shared_ptr<const Provenance> next;
+    ref<nlohmann::json> meta;
+
+    MetaProvenance(std::shared_ptr<const Provenance> next, ref<nlohmann::json> meta)
+        : next(std::move(next))
+        , meta(std::move(meta)) {};
+
+    nlohmann::json to_json() const override;
+};
+
+} // namespace nix
diff --git a/src/libexpr/meson.build b/src/libexpr/meson.build
@@ -181,6 +181,7 @@ sources = files(
   'primops.cc',
   'print-ambiguous.cc',
   'print.cc',
+  'provenance.cc',
   'search-path.cc',
   'symbol-table.cc',
   'value-to-json.cc',
diff --git a/src/libexpr/primops.cc b/src/libexpr/primops.cc
@@ -18,6 +18,7 @@
 #include "nix/fetchers/fetch-to-store.hh"
 #include "nix/util/sort.hh"
 #include "nix/util/mounted-source-accessor.hh"
+#include "nix/expr/provenance.hh"
 
 #include <boost/container/small_vector.hpp>
 #include <boost/unordered/concurrent_flat_map.hpp>
@@ -1504,6 +1505,8 @@ static void derivationStrictInternal(EvalState & state, std::string_view drvName
     StringSet outputs;
     outputs.insert("out");
 
+    auto provenance = state.evalContext.provenance;
+
     for (auto & i : attrs->lexicographicOrder(state.symbols)) {
         if (i->name == state.s.ignoreNulls)
             continue;
@@ -1571,6 +1574,24 @@ static void derivationStrictInternal(EvalState & state, std::string_view drvName
                     experimentalFeatureSettings.require(Xp::ImpureDerivations);
                 }
                 break;
+            case EvalState::s.meta.getId():
+                experimentalFeatureSettings.require(Xp::Provenance);
+
+                {
+                    auto meta = printValueAsJSON(state, true, *i->value, pos, context);
+
+                    for (auto it = meta.begin(); it != meta.end();) {
+                        if (it.key() == "identifiers" || it.key() == "license" || it.key() == "licenses") {
+                            it++;
+                            continue;
+                        }
+
+                        it = meta.erase(it);
+                    }
+
+                    provenance = std::make_shared<const MetaProvenance>(provenance, make_ref<nlohmann::json>(meta));
+                }
+                break;
             /* The `args' attribute is special: it supplies the
                command-line arguments to the builder. */
             case EvalState::s.args.getId():
@@ -1847,8 +1868,7 @@ static void derivationStrictInternal(EvalState & state, std::string_view drvName
     }
 
     /* Write the resulting term into the Nix store directory. */
-    auto drvPath =
-        writeDerivation(*state.store, *state.asyncPathWriter, drv, state.repair, false, state.evalContext.provenance);
+    auto drvPath = writeDerivation(*state.store, *state.asyncPathWriter, drv, state.repair, false, provenance);
     auto drvPathS = state.store->printStorePath(drvPath);
 
     printMsg(lvlChatty, "instantiated '%1%' -> '%2%'", drvName, drvPathS);
@@ -5420,7 +5440,14 @@ void EvalState::createBaseEnv(const EvalSettings & evalSettings)
        language feature gets added.  It's not necessary to increase it
        when primops get added, because you can just use `builtins ?
        primOp' to check. */
-    v.mkInt(6);
+    if (experimentalFeatureSettings.isEnabled(Xp::Provenance)) {
+        /* Provenance allows for meta to be inside of derivations.
+           We increment the version to 7 so Nixpkgs will know when
+           provenance is available. */
+        v.mkInt(7);
+    } else {
+        v.mkInt(6);
+    }
     addConstant(
         "__langVersion",
         v,
diff --git a/src/libexpr/provenance.cc b/src/libexpr/provenance.cc
@@ -0,0 +1,25 @@
+#include "nix/expr/provenance.hh"
+#include "nix/util/json-utils.hh"
+
+#include <nlohmann/json.hpp>
+
+namespace nix {
+
+nlohmann::json MetaProvenance::to_json() const
+{
+    return nlohmann::json{
+        {"type", "meta"},
+        {"meta", *meta},
+        {"next", next ? next->to_json() : nlohmann::json(nullptr)},
+    };
+}
+
+Provenance::Register registerMetaProvenance("meta", [](nlohmann::json json) {
+    auto & obj = getObject(json);
+    std::shared_ptr<const Provenance> next;
+    if (auto p = optionalValueAt(obj, "next"); p && !p->is_null())
+        next = Provenance::from_json(*p);
+    return make_ref<MetaProvenance>(next, make_ref<nlohmann::json>(valueAt(obj, "meta")));
+});
+
+} // namespace nix
diff --git a/src/nix/provenance-show.md b/src/nix/provenance-show.md
@@ -22,6 +22,7 @@ The provenance chain shows the history of how the store path came to exist, incl
 - **Built**: The path was built from a derivation.
 - **Flake evaluation**: The derivation was instantiated during the evaluation of a flake output.
 - **Fetched**: The path was obtained by fetching a source tree.
+- **Meta**: Metadata associated with the derivation.
 
 Note: if you want provenance in JSON format, use the `provenance` field returned by `nix path-info --json`.
 
diff --git a/src/nix/provenance.cc b/src/nix/provenance.cc
@@ -1,5 +1,6 @@
 #include "nix/cmd/command.hh"
 #include "nix/store/store-api.hh"
+#include "nix/expr/provenance.hh"
 #include "nix/store/provenance.hh"
 #include "nix/flake/provenance.hh"
 #include "nix/fetchers/provenance.hh"
@@ -91,6 +92,9 @@ struct CmdProvenanceShow : StorePathsCommand
             } else if (auto subpath = std::dynamic_pointer_cast<const SubpathProvenance>(provenance)) {
                 logger->cout("← from file " ANSI_BOLD "%s" ANSI_NORMAL, subpath->subpath.abs());
                 provenance = subpath->next;
+            } else if (auto meta = std::dynamic_pointer_cast<const MetaProvenance>(provenance)) {
+                logger->cout("← with metadata");
+                provenance = meta->next;
             } else {
                 // Unknown or unhandled provenance type
                 auto json = provenance->to_json();
diff --git a/tests/functional/config.nix.in b/tests/functional/config.nix.in
@@ -5,6 +5,9 @@ let
     outputHashMode = "recursive";
     outputHashAlgo = "sha256";
   } else {};
+
+  optional = cond: elem: if cond then [ elem ] else [];
+  optionalAttrs = cond: attrs: if cond then attrs else {};
 in
 
 rec {
@@ -25,6 +28,6 @@ rec {
         eval "$buildCommand"
       '')];
       PATH = path;
-    } // caArgs // removeAttrs args ["builder" "meta"])
-    // { meta = args.meta or {}; };
+    } // caArgs // removeAttrs args (["builder"] ++ optional (builtins.langVersion < 7) "meta"))
+    // optionalAttrs (builtins.langVersion < 7) { meta = args.meta or {}; };
 }
diff --git a/tests/functional/flakes/provenance.sh b/tests/functional/flakes/provenance.sh
@@ -15,35 +15,51 @@ lastModified=$(nix flake metadata --json "$flake1Dir" | jq -r .locked.lastModifi
 treePath=$(nix flake prefetch --json "$flake1Dir" | jq -r .storePath)
 builder=$(nix eval --raw "$flake1Dir#packages.$system.default._builder")
 
-# Building a derivation should have tree+subpath+flake+build provenance.
-[[ $(nix path-info --json --json-format 1 "$outPath" | jq ".\"$outPath\".provenance") = $(cat <<EOF
+# Building a derivation should have tree+subpath+flake+meta+build provenance.
+[[ "$(nix path-info --json --json-format 1 "$outPath" | jq ".\"$outPath\".provenance")" == "$(cat <<EOF
 {
   "buildHost": "test-host",
   "drv": "$(basename "$drvPath")",
   "next": {
-    "flakeOutput": "packages.$system.default",
+    "meta": {
+      "license": [
+        {
+          "deprecated": true,
+          "free": true,
+          "fullName": "GNU Lesser General Public License v2.1",
+          "redistributable": true,
+          "shortName": "lgpl21",
+          "spdxId": "LGPL-2.1",
+          "url": "https://spdx.org/licenses/LGPL-2.1.html"
+        }
+      ]
+    },
     "next": {
+      "flakeOutput": "packages.$system.default",
       "next": {
-        "attrs": {
-          "lastModified": $lastModified,
-          "ref": "refs/heads/master",
-          "rev": "$rev",
-          "revCount": 1,
-          "type": "git",
-          "url": "file://$flake1Dir"
+        "next": {
+          "attrs": {
+            "lastModified": $lastModified,
+            "ref": "refs/heads/master",
+            "rev": "$rev",
+            "revCount": 1,
+            "type": "git",
+            "url": "file://$flake1Dir"
+          },
+          "type": "tree"
         },
-        "type": "tree"
+        "subpath": "/flake.nix",
+        "type": "subpath"
       },
-      "subpath": "/flake.nix",
-      "type": "subpath"
+      "type": "flake"
     },
-    "type": "flake"
+    "type": "meta"
   },
   "output": "out",
   "type": "build"
 }
 EOF
-) ]]
+)" ]]
 
 # Flakes should have "tree" provenance.
 [[ $(nix path-info --json --json-format 1 "$treePath" | jq ".\"$treePath\".provenance") = $(cat <<EOF
@@ -89,52 +105,88 @@ clearStore
 
 nix copy --from "file://$binaryCache" "$outPath" --no-check-sigs
 
-[[ $(nix path-info --json --json-format 1 "$outPath" | jq ".\"$outPath\".provenance") = $(cat <<EOF
+[[ "$(nix path-info --json --json-format 1 "$outPath" | jq ".\"$outPath\".provenance")" = "$(cat <<EOF
 {
   "from": "file://$binaryCache",
   "next": {
     "buildHost": "test-host",
     "drv": "$(basename "$drvPath")",
     "next": {
-      "flakeOutput": "packages.$system.default",
+      "meta": {
+        "license": [
+          {
+            "deprecated": true,
+            "free": true,
+            "fullName": "GNU Lesser General Public License v2.1",
+            "redistributable": true,
+            "shortName": "lgpl21",
+            "spdxId": "LGPL-2.1",
+            "url": "https://spdx.org/licenses/LGPL-2.1.html"
+          }
+        ]
+      },
       "next": {
+        "flakeOutput": "packages.$system.default",
         "next": {
-          "attrs": {
-            "lastModified": $lastModified,
-            "ref": "refs/heads/master",
-            "rev": "$rev",
-            "revCount": 1,
-            "type": "git",
-            "url": "file://$flake1Dir"
+          "next": {
+            "attrs": {
+              "lastModified": $lastModified,
+              "ref": "refs/heads/master",
+              "rev": "$rev",
+              "revCount": 1,
+              "type": "git",
+              "url": "file://$flake1Dir"
+            },
+            "type": "tree"
           },
-          "type": "tree"
+          "subpath": "/flake.nix",
+          "type": "subpath"
         },
-        "subpath": "/flake.nix",
-        "type": "subpath"
+        "type": "flake"
       },
-      "type": "flake"
+      "type": "meta"
     },
     "output": "out",
     "type": "build"
   },
   "type": "copied"
 }
 EOF
-) ]]
+)" ]]
 
 # Test `nix provenance show`.
-[[ $(nix provenance show "$outPath") = $(cat <<EOF
+[[ "$(nix provenance show "$outPath")" = $(cat <<EOF
 [1m$outPath[0m
 ← copied from [1mfile://$binaryCache[0m
 ← built from derivation [1m$drvPath[0m (output [1mout[0m) on [1mtest-host[0m
+← with metadata
 ← instantiated from flake output [1mgit+file://$flake1Dir?ref=refs/heads/master&rev=$rev#packages.$system.default[0m
 EOF
 ) ]]
 
 # Check that --impure does not add provenance.
 clearStore
 nix build --impure --print-out-paths --no-link "$flake1Dir#packages.$system.default"
-[[ $(nix path-info --json --json-format 1 "$drvPath" | jq ".\"$drvPath\".provenance") = null ]]
+[[ "$(nix path-info --json --json-format 1 "$drvPath" | jq ".\"$drvPath\".provenance")" = "$(cat << EOF
+{
+  "meta": {
+    "license": [
+      {
+        "deprecated": true,
+        "free": true,
+        "fullName": "GNU Lesser General Public License v2.1",
+        "redistributable": true,
+        "shortName": "lgpl21",
+        "spdxId": "LGPL-2.1",
+        "url": "https://spdx.org/licenses/LGPL-2.1.html"
+      }
+    ]
+  },
+  "next": null,
+  "type": "meta"
+}
+EOF
+)" ]]
 
 clearStore
 echo foo > "$flake1Dir/somefile"
diff --git a/tests/functional/simple.nix b/tests/functional/simple.nix
@@ -6,5 +6,20 @@ mkDerivation {
   _builder = ./simple.builder.sh;
   PATH = "";
   goodPath = path;
-  meta.position = "${__curPos.file}:${toString __curPos.line}";
+  meta = {
+    position = "${__curPos.file}:${toString __curPos.line}";
+    license = [
+      # Since this file is from Nix, use Nix's license.
+      # Keep in sync with `lib.licenses.lgpl21` from Nixpkgs.
+      {
+        deprecated = true;
+        free = true;
+        fullName = "GNU Lesser General Public License v2.1";
+        redistributable = true;
+        shortName = "lgpl21";
+        spdxId = "LGPL-2.1";
+        url = "https://spdx.org/licenses/LGPL-2.1.html";
+      }
+    ];
+  };
 }
