3
0
Fork 0
forked from mirrors/nixpkgs
nixpkgs/doc
Graham Christensen a9c875fc2e
nixpkgs: allow packages to be marked insecure
If a package's meta has `knownVulnerabilities`, like so:

    stdenv.mkDerivation {
      name = "foobar-1.2.3";

      ...

      meta.knownVulnerabilities = [
        "CVE-0000-00000: remote code execution"
        "CVE-0000-00001: local privilege escalation"
      ];
    }

and a user attempts to install the package, they will be greeted with
a warning indicating that maybe they don't want to install it:

    error: Package ‘foobar-1.2.3’ in ‘...default.nix:20’ is marked as insecure, refusing to evaluate.

    Known issues:

     - CVE-0000-00000: remote code execution
     - CVE-0000-00001: local privilege escalation

    You can install it anyway by whitelisting this package, using the
    following methods:

    a) for `nixos-rebuild` you can add ‘foobar-1.2.3’ to
       `nixpkgs.config.permittedInsecurePackages` in the configuration.nix,
       like so:

         {
           nixpkgs.config.permittedInsecurePackages = [
             "foobar-1.2.3"
           ];
         }

    b) For `nix-env`, `nix-build`, `nix-shell` or any other Nix command you can add
    ‘foobar-1.2.3’ to `permittedInsecurePackages` in
    ~/.config/nixpkgs/config.nix, like so:

         {
           permittedInsecurePackages = [
             "foobar-1.2.3"
           ];
         }

Adding either of these configurations will permit this specific
version to be installed. A third option also exists:

  NIXPKGS_ALLOW_INSECURE=1 nix-build ...

though I specifically avoided having a global file-based toggle to
disable this check. This way, users don't disable it once in order to
get a single package, and then don't realize future packages are
insecure.
2017-02-24 07:41:05 -05:00
..
languages-frameworks Docs: update Python contributing guidelines 2017-02-22 13:38:29 +01:00
old doc/old/cross.txt: md5 -> sha256 2017-01-24 16:26:05 +00:00
coding-conventions.xml Make more visible which fetch approach is best 2017-01-30 11:28:52 +01:00
configuration.xml nixpkgs: allow packages to be marked insecure 2017-02-24 07:41:05 -05:00
contributing.xml
cross-compilation.xml top-level: Allow nixpkgs to take localSystem directly 2017-02-08 22:06:57 -05:00
default.nix Merge #16501: add a guide about vim plugins 2017-01-30 18:28:20 +01:00
functions.xml wrap added notes in <note> 2017-02-20 22:25:32 -05:00
introduction.md
manual.xml nixpkgs docs: Cross compilation docs 2017-01-24 11:37:56 -05:00
meta.xml
multiple-output.xml
overlays.xml $NIXPKGS_OVERLAYS -> <nixpkgs-overlays> 2017-02-01 16:07:54 +01:00
package-notes.xml ~/.nixpkgs -> ~/.config/nixpkgs 2017-02-01 16:07:55 +01:00
quick-start.xml
release-notes.xml
reviewing-contributions.xml manual: reviewing contributions nixos -> nixpkgs (#20626) 2016-11-22 15:15:02 +01:00
stdenv.xml Merge #19328: mkWrapper fix and docs 2017-02-05 14:09:22 +01:00
style.css
submitting-changes.xml