stdenv: introduce PURL feature flag, adjust docu & release notes

Author: h0nIg

doc/release-notes/rl-2511.section.md

@@ -252,7 +252,7 @@
 
 <!-- To avoid merge conflicts, consider adding your item at an arbitrary place in the list instead. -->
 
-- Metadata identifier purl (Package URL, https://github.com/package-url/purl-spec) has been added for fetchgit, fetchpypi and fetchFromGithub fetchers and mkDerivation has been adjusted to reuse these informations. Package URL's enables a reliable identification and locatization of software packages. Maintainers of derivations using the adopted fetchers should rely on the `drv.src.meta.identifiers.v1.purl` default identifier and can enhance their `drv.meta.identifiers.v1.purls` list once they would like to have additional identifiers. Maintainers using fetchurl for `drv.src` are urged to adopt their `drv.meta.identifiers.purlParts` for proper identification.
+- Metadata identifier purl (Package URL, https://github.com/package-url/purl-spec) has been added for fetchgit, fetchpypi and fetchFromGithub fetchers and mkDerivation has been adjusted to reuse these informations. Package URL's enables a reliable identification and locatization of software packages. Maintainers of derivations using the adopted fetchers should rely on the `drv.src.meta.identifiers.v1.purl` default identifier and can enhance their `drv.meta.identifiers.v1.purls` list once they would like to have additional identifiers. Maintainers using fetchurl for `drv.src` are urged to adopt their `drv.meta.identifiers.purlParts` for proper identification. Maintainers should check that their `drv.src` / `drv.srcs` either evaluate properly or that they throw an UnsupportedPlatform  statement instead of a missing attribute error. The inheritance feature of `drv.src(s).meta.identifiers.purl(s)` for `drv.meta.identifiers.purl(s)` can get activated via `config.derivationPURLInheritance`.
 
 - Added `rewriteURL` attribute to the nixpkgs `config`, to allow for rewriting the URLs downloaded by `fetchurl`.
 - Added `hashedMirrors` attribute to the nixpkgs `config`, to allow for customization of the hashed mirrors used by `fetchurl`.

doc/stdenv/meta.chapter.md

@@ -322,7 +322,7 @@ A readonly attribute containing the list of guesses for what CPE for this packag
 
 ### Package URL {#sec-meta-identifiers-purl}
 
-[Package-URL](https://github.com/package-url/purl-spec) (PURL) is a specification to reliably identify and locate software packages. Through identification of software packages, additional (non-major) use cases are e.g. software license cross-verification via third party databases or initial vulnerability response management. Package URL's default to the mkDerivation.src, as the original consumed software package is the single point of truth.
+[Package-URL](https://github.com/package-url/purl-spec) (PURL) is a specification to reliably identify and locate software packages. Through identification of software packages, additional (non-major) use cases are e.g. software license cross-verification via third party databases or initial vulnerability response management. Package URL's shall default to the mkDerivation.src, as the original consumed software package is the single point of truth. The default inheritance must get enabled explicitly through the nixpkgs config paramter `derivationPURLInheritance`.
 
 #### `meta.identifiers.purlParts` {#var-meta-identifiers-purlParts}
 

pkgs/stdenv/generic/check-meta.nix

@@ -713,7 +713,8 @@ let
                 }
               ) possibleCPEPartsFuns;
 
-          evaluateSrc = !isMarkedBroken attrs && !hasUnsupportedPlatform attrs;
+          evaluateSrc =
+            config.derivationPURLInheritance && !isMarkedBroken attrs && !hasUnsupportedPlatform attrs;
           purlParts = attrs.meta.identifiers.purlParts or { };
           purlPartsFormatted =
             if purlParts ? type && purlParts ? spec then "pkg:${purlParts.type}/${purlParts.spec}" else null;

pkgs/top-level/config.nix

@@ -333,6 +333,16 @@ let
         Please read https://www.visualstudio.com/license-terms/mt644918/ and enable this config if you accept.
       '';
     };
+
+    derivationPURLInheritance = mkOption {
+      type = types.bool;
+      default = false;
+      description = ''
+        Commonly PURL identifiers are based on the source of software. For example software distributed through github.com can get identified via pkg:github/org/repo.
+        Most of the nixpkgs derivations have a drv.src or drv.srcs which properly evaluate, but there are some corner cases.
+        This feature flag should get activated, once an SBOM tool is in use and where drv.meta.identifiers.purl(s) should inherit the informations from drv.src(s).meta.identifiers.purl(s).
+      '';
+    };
   };
 
 in