Appropriate package guidelines, for package requests

[IFcoltransG]

Context

• I created a packaging request (#309024) which was closed.
• The considerations for closing it seem fair, but I was not aware of those considerations before creating the issue.
• I haven't been able to find guidelines, either linked from the README or CONTRIBUTING, for which types of projects are good fits to be packaged.
• As a new NixOS user, I am relying on Nixpkgs while I learn how to make derivations.
• I wasted maintainer time, as well as my own, in creating that issue.

Expectation

• I would expect to find a list of rough criteria that package requesters can check, to ensure their package is right for Nixpkgs. e.g. that it's actively maintained and using modern libraries.

Reality

• If that resource exists, it was not obvious on the README or CONTRIBUTING guides.

Relevance

• I would not have needed to waste maintainer time closing my request.
• Would allow new NixOS users like myself to feel more comfortable and welcomed: giving confidence about whether their suggested packages are good fits for the repository in advance.

[donovanglover]

Should be trivial to add a checklist to the Packaging Request template. Other templates like Missing Documentation already have one.

[eclairevoyant]

• that it's actively maintained and using modern libraries.

I'll point out that this is not (AFAIK) a prerequisite for nixpkgs. However, electron is a special case in that it basically ships a browser (chromium). Old versions of electron use EOL versions of chromium that are known insecure. We should not add known insecure packages into nixpkgs. The only versions we have in the repo are electron 27 to 30, everything older has been dropped: https://github.com/NixOS/nixpkgs/blob/c669412a552f31c45adad47894e7fd6a8698e53f/pkgs/top-level/aliases.nix#L308-L314

As far as actual guidelines, this is the section we currently have: https://github.com/NixOS/nixpkgs/tree/master/pkgs#quick-start-to-adding-a-package This could be improved to explicitly discourage adding insecure packages.