3
0
Fork 0
forked from mirrors/nixpkgs
Commit graph

414 commits

Author SHA1 Message Date
Graham Christensen a9c875fc2e
nixpkgs: allow packages to be marked insecure
If a package's meta has `knownVulnerabilities`, like so:

    stdenv.mkDerivation {
      name = "foobar-1.2.3";

      ...

      meta.knownVulnerabilities = [
        "CVE-0000-00000: remote code execution"
        "CVE-0000-00001: local privilege escalation"
      ];
    }

and a user attempts to install the package, they will be greeted with
a warning indicating that maybe they don't want to install it:

    error: Package ‘foobar-1.2.3’ in ‘...default.nix:20’ is marked as insecure, refusing to evaluate.

    Known issues:

     - CVE-0000-00000: remote code execution
     - CVE-0000-00001: local privilege escalation

    You can install it anyway by whitelisting this package, using the
    following methods:

    a) for `nixos-rebuild` you can add ‘foobar-1.2.3’ to
       `nixpkgs.config.permittedInsecurePackages` in the configuration.nix,
       like so:

         {
           nixpkgs.config.permittedInsecurePackages = [
             "foobar-1.2.3"
           ];
         }

    b) For `nix-env`, `nix-build`, `nix-shell` or any other Nix command you can add
    ‘foobar-1.2.3’ to `permittedInsecurePackages` in
    ~/.config/nixpkgs/config.nix, like so:

         {
           permittedInsecurePackages = [
             "foobar-1.2.3"
           ];
         }

Adding either of these configurations will permit this specific
version to be installed. A third option also exists:

  NIXPKGS_ALLOW_INSECURE=1 nix-build ...

though I specifically avoided having a global file-based toggle to
disable this check. This way, users don't disable it once in order to
get a single package, and then don't realize future packages are
insecure.
2017-02-24 07:41:05 -05:00
Frederik Rietdijk 026cfee6b0 Docs: update Python contributing guidelines 2017-02-22 13:38:29 +01:00
Paul Kinsky b14dd0e6c3
wrap added notes in <note> 2017-02-20 22:25:32 -05:00
Paul Kinsky 2d78767973
Add tips for resolving https issues in containers
I ran into some issues making HTTPS requests from a container built with buildImage. I've added notes with tips for resolving similar issues.
2017-02-20 22:24:54 -05:00
Vladimír Čunát 6bea415b5e
Merge branch 'master' into staging 2017-02-09 08:42:04 +01:00
John Ericson 8cd4c31d6b top-level: Allow nixpkgs to take localSystem directly
This is instead of both system and platform, which is kind of ugly.
2017-02-08 22:06:57 -05:00
John Ericson f6ef6b56fe Merge pull request #22387 from Ericson2314/cross-3-platforms
cross stdenv: let build package's build deps resolve to native packages
2017-02-05 17:41:31 -05:00
John Ericson 5eaea6cee0 cross stdenv: let build package's build deps resolve to native packages
This fixes the "sliding window" principle:
  0. Run packages:       build = native;  host = foreign; target = foreign;
  1. Build packages:     build = native;  host = native;  target = foreign;
  2. Vanilla packages:   build = native;  host = native;  target = native;
  3. Vanilla packages:   build = native;  host = native;  target = native;
  n+3. ...

Each stage's build dependencies are resolved against the previous stage,
and the "foreigns" are shifted accordingly. Vanilla packages alone are
built against themsevles, since there are no more "foreign"s to shift away.

Before, build packages' build dependencies were resolved against
themselves:
  0. Run packages:       build = native;  host = foreign; target = foreign;
  1. Build packages:     build = native;  host = native;  target = foreign;
  2. Build packages:     build = native;  host = native;  target = foreign;
  n+2. ...

This is wrong because that principle is violated by the target
platform staying foreign.

This will change the hashes of many build packages and run packages, but
that is OK. This is an unavoidable cost of fixing cross compiling.

The cross compilation docs have been updated to reflect this fix.
2017-02-05 12:01:53 -05:00
Vladimír Čunát 3b583d943e
Merge #19328: mkWrapper fix and docs 2017-02-05 14:09:22 +01:00
Vladimír Čunát adab4cd58b
Merge branch 'master' into staging 2017-02-03 11:47:38 +01:00
Bas van Dijk dfcc9e2994 ghc: support building with integer-simple and provide package sets for it
If the flag enableIntegerSimple is true GHC will be build with the GPL-free but
slower integer-simple library instead of the faster but GPLed integer-gmp
library.

The attribute `pkgs.haskell.compiler.integer-simple."${ghcVersion}"` provides a
GHC compiler build with `integer-simple`.

Similarly, the attribute `pkgs.haskell.packages.integer-simple."${ghcVersion}"`
provides a package set supporting `integer-simple`.

Closes https://github.com/NixOS/nixpkgs/pull/22121.
Closes https://github.com/NixOS/nixpkgs/issues/5493.
2017-02-02 10:57:00 +01:00
Domen Kožar 220adbb039
docs: fix link for python 2017-02-01 21:32:06 +01:00
Eelco Dolstra 9d6a55aefd
~/.nixpkgs -> ~/.config/nixpkgs
The former is still respected as a fallback for config.nix for
backwards compatibility (but not for overlays because they're a new
feature).
2017-02-01 16:07:55 +01:00
Eelco Dolstra 7dacca324d
$NIXPKGS_OVERLAYS -> <nixpkgs-overlays>
The Nix search path is the established mechanism for specifying the
location of Nix expressions, so let's use it instead of adding another
environment variable.
2017-02-01 16:07:54 +01:00
Vladimír Čunát 49b136377a
Merge #16501: add a guide about vim plugins 2017-01-30 18:28:20 +01:00
Vladimír Čunát 69348badb8
doc vim: nitpicks 2017-01-30 18:27:44 +01:00
Lorenzo Manacorda 4e0bb261d0 Make more visible which fetch approach is best
Prepend "bad/better/best" to each paragraph, to make more visible which approach is best
2017-01-30 11:28:52 +01:00
Domen Kožar f87deb0b3a Merge pull request #22101 from zimbatm/no-md5
Bye bye MD5
2017-01-25 09:07:48 +01:00
John Ericson 39fb46f538 nixpkgs docs: Cross compilation docs 2017-01-24 11:37:56 -05:00
John Ericson 76ea89aa78 nixpkgs doc: Talk about nativeBuildInputs and propgatedNativeBuildInputs
Do so in the stdenv section where the other two are discussed. This can be
done without brining up cross-compilation by talking about build-time vs
run-time.
2017-01-24 11:37:56 -05:00
zimbatm 6f21a99bdd doc/old/cross.txt: md5 -> sha256 2017-01-24 16:26:05 +00:00
Franz Pletz 00ab8e84c6
doc: improve hardening docs
Fixes #18887.
2017-01-20 17:46:44 +01:00
Jörg Thalheim 3fdde25b4c Merge pull request #21962 from Mic92/gemdir
bundleEnv: Used gemdir for most applications now
2017-01-19 09:34:14 +01:00
Jörg Thalheim a9495b3066 Merge pull request #21837 from Azulinho/python-docs_add_virtualenv_and_nixshell_example
python docs: add an example for a virtualenv and pip through nix-shell
2017-01-18 08:37:13 +01:00
Jörg Thalheim c9ff7e49a8
docs: gemdir is now preferred attribute for bundlerEnv 2017-01-18 00:52:57 +01:00
Nicolas B. Pierron 88ba960a6d Fix nixpkgs manual generation, missing para closing tag. 2017-01-16 01:17:33 +01:00
Nicolas B. Pierron 2ad710e70e Fix extra nits from aneeshusa 2017-01-16 01:17:33 +01:00
Nicolas B. Pierron 2d6532b330 Update overlay documentation by following nits from aneeshusa. 2017-01-16 01:17:33 +01:00
Nicolas B. Pierron 51d3c931e1 Replace 'phases' by 'layers' in overlays documentation. 2017-01-16 01:17:33 +01:00
Nicolas B. Pierron f9da1fa957 Throw an error if NIXPKGS_OVERLAYS is invalid and improve documentation. 2017-01-16 01:17:33 +01:00
Nicolas B. Pierron f5dfe78a1e Add overlays mechanism to Nixpkgs.
This patch add a new argument to Nixpkgs default expression named "overlays".

By default, the value of the argument is either taken from the environment variable `NIXPKGS_OVERLAYS`,
or from the directory `~/.nixpkgs/overlays/`.  If the environment variable does not name a valid directory
then this mechanism would fallback on the home directory.  If the home directory does not exists it will
fallback on an empty list of overlays.

The overlays directory should contain the list of extra Nixpkgs stages which would be used to extend the
content of Nixpkgs, with additional set of packages.  The overlays, i-e directory, files, symbolic links
are used in alphabetical order.

The simplest overlay which extends Nixpkgs with nothing looks like:

```nix
self: super: {
}
```

More refined overlays can use `super` as the basis for building new packages, and `self` as a way to query
the final result of the fix-point.

An example of overlay which extends Nixpkgs with a small set of packages can be found at:
  https://github.com/nbp/nixpkgs-mozilla/blob/nixpkgs-overlay/moz-overlay.nix

To use this file, checkout the repository and add a symbolic link to
the `moz-overlay.nix` file in `~/.nixpkgs/overlays` directory.
2017-01-16 01:17:33 +01:00
Kier Davis cb4ebb6749
docs: fix a couple of unmatched parentheses 2017-01-12 21:04:20 +00:00
Azul 58613a7eed python docs: update block according to code review 2017-01-12 16:59:27 +00:00
Azul aa9a9dd1b4 python docs: add an example for a virtualenv and pip through nix-shell 2017-01-12 16:00:50 +00:00
Frederik Rietdijk e0d1691ba3 Docs Python: fix examples and links 2016-12-21 15:45:39 +01:00
Matthew Pickering d8d36de635 Fix typo in beam.xml 2016-12-19 14:56:55 +00:00
Marti Serra b8984954ff steam: removed unuseful section from documentation 2016-12-11 16:57:28 +01:00
Marti Serra 21449c23cb steam: added java and steam-run to documentation, removed patchelf info 2016-12-11 12:47:48 +01:00
Jaka Hudoklin f1d93906f8 Merge pull request #21047 from xvapx/fix/steam-doc
steam: added documentation to nixpkgs manual
2016-12-10 23:36:12 +01:00
Marti Serra 2698757095 steam: added documentation to nixpkgs manual 2016-12-10 17:57:33 +01:00
Frederik Rietdijk 42bad32e13 buildPythonPackage: refactor 2016-12-05 10:29:22 +01:00
Frederik Rietdijk 3d59b82925 DOCS: update Python docs to reflect fixed-point combinator 2016-12-05 09:45:11 +01:00
Frederik Rietdijk 374ac13a6e Docs: fix Python docs 2016-12-04 10:17:33 +01:00
Eric Sagnes 2b1d67a275 manual: reviewing contributions nixos -> nixpkgs (#20626) 2016-11-22 15:15:02 +01:00
Profpatsch 53fc7b8272 lib/generators: add manual documentation
Restructures the functions reference a bit.
2016-11-17 23:19:28 +01:00
Peter Simons 0a685cf8ea Merge pull request #20257 from expipiplus1/haskell-doc-typo
fix documentation typo in doc/languages-frameworks/haskell.md
2016-11-09 08:47:07 +01:00
Joe Hermaszewski 05f31e5c8a fix documentation typo in doc/languages-frameworks/haskell.md 2016-11-08 17:42:27 +00:00
Frederik Rietdijk 9cdfb33401 Docs: improve Python expressions
as it contained several mistakes and was just messy.
2016-11-08 12:44:49 +01:00
Domen Kožar 62edf873aa Merge pull request #18660 from aneeshusa/add-override-attrs
mkDerivation: add overrideAttrs function
2016-10-30 11:32:15 +01:00
Joachim Fasting a1ecc5648a
nixpkgs doc: fix build
Ref e4cd45a30c
2016-10-28 16:28:31 +02:00