Nixpkgs Clarity
State of the art automated license detection for Nixpkgs
Nix provides a unique approach to package management and system configuration for more reproducible, declarative, and reliable systems. Nixpkgs is the largest and most up-to-date collection of software packages today, and forms the basis of the NGI Fediversity project. But like other ecosystems, Nix struggles with accurate and consistent license package metadata necessary for frictionless reuse of Nixpkgs in the software supply chain.
For example, Nix's license tracking does not fully align with best practices like SPDX license expressions, using instead a custom list of license IDs, inconsistently referencing SPDX or ScanCode LicenseDB, that can be out of sync with the actual code, or misrepresenting its license. Packagers commonly only look at top declared licenses, ignoring the file-level licenses. The Nixpkgs Clarity project corrects and standardizes Nixpkgs's license metadata to enable efficient, responsible Nixpkgs usage in secured software supply chains.
Run by AboutCode Europe ASBL
This project was funded through the NGI Fediversity Fund, a fund established by NLnet with financial support from the European Commission's Next Generation Internet programme, as a pilot programme under the aegis of DG Communications Networks, Content and Technology. NGI Fediversity is part of the Horizon Europe research and innovation programme under grant agreement No. 101136078.
