3
0
Fork 0
forked from mirrors/nixpkgs
nixpkgs/nixos/doc/manual
Graham Christensen a9c875fc2e
nixpkgs: allow packages to be marked insecure
If a package's meta has `knownVulnerabilities`, like so:

    stdenv.mkDerivation {
      name = "foobar-1.2.3";

      ...

      meta.knownVulnerabilities = [
        "CVE-0000-00000: remote code execution"
        "CVE-0000-00001: local privilege escalation"
      ];
    }

and a user attempts to install the package, they will be greeted with
a warning indicating that maybe they don't want to install it:

    error: Package ‘foobar-1.2.3’ in ‘...default.nix:20’ is marked as insecure, refusing to evaluate.

    Known issues:

     - CVE-0000-00000: remote code execution
     - CVE-0000-00001: local privilege escalation

    You can install it anyway by whitelisting this package, using the
    following methods:

    a) for `nixos-rebuild` you can add ‘foobar-1.2.3’ to
       `nixpkgs.config.permittedInsecurePackages` in the configuration.nix,
       like so:

         {
           nixpkgs.config.permittedInsecurePackages = [
             "foobar-1.2.3"
           ];
         }

    b) For `nix-env`, `nix-build`, `nix-shell` or any other Nix command you can add
    ‘foobar-1.2.3’ to `permittedInsecurePackages` in
    ~/.config/nixpkgs/config.nix, like so:

         {
           permittedInsecurePackages = [
             "foobar-1.2.3"
           ];
         }

Adding either of these configurations will permit this specific
version to be installed. A third option also exists:

  NIXPKGS_ALLOW_INSECURE=1 nix-build ...

though I specifically avoided having a global file-based toggle to
disable this check. This way, users don't disable it once in order to
get a single package, and then don't realize future packages are
insecure.
2017-02-24 07:41:05 -05:00
..
administration NixOS Manual: Container Networking with NM 2016-11-20 17:25:33 +01:00
configuration Merge pull request #23046 from Zimmi48/patch-2 2017-02-22 01:40:50 +01:00
development nixos manual: correct reference to sddm 2017-02-10 22:52:08 -05:00
installation manual: Add link to config section (#22994) 2017-02-20 14:32:49 +01:00
release-notes nixpkgs: allow packages to be marked insecure 2017-02-24 07:41:05 -05:00
default.nix NixOS: Use runCommand instead of mkDerivation in a few places 2016-09-29 13:05:28 +02:00
man-configuration.xml Manual: Explicitly mark commands that require to be run as root (#15589) 2016-06-01 15:23:32 +01:00
man-nixos-build-vms.xml Manual: Explicitly mark commands that require to be run as root (#15589) 2016-06-01 15:23:32 +01:00
man-nixos-generate-config.xml nixos-generate-config: Emit LUKS configuration for boot device 2016-05-25 18:04:41 +02:00
man-nixos-install.xml nixos-install: add options --closure, --no-channel-copy, --no-root-passwd, and --no-bootloader 2016-08-04 16:22:25 +01:00
man-nixos-option.xml Manual: Explicitly mark commands that require to be run as root (#15589) 2016-06-01 15:23:32 +01:00
man-nixos-rebuild.xml doc: correct typo (#21176) 2016-12-15 17:13:44 +01:00
man-nixos-version.xml Add some more info to the nixos-version manpage 2016-07-15 12:02:39 +02:00
man-pages.xml doc: add man page for nixos-version (#16869) 2016-07-12 16:29:13 +02:00
manual.xml fix manual 2016-06-01 21:55:31 +01:00
options-to-docbook.xsl fix https://github.com/NixOS/nixops/issues/331 2016-06-03 15:55:17 +01:00
README nixos/doc/manual: Fix typos in README. 2014-07-23 15:00:25 +02:00
style.css Manual: Chunk into separate pages 2014-08-25 19:08:31 +02:00

To build the manual, you need Nix installed on your system (no need
for NixOS). To install Nix, follow the instructions at

    https://nixos.org/nix/download.html

When you have Nix on your system, in the root directory of the project
(i.e., `nixpkgs`), run:

    nix-build nixos/release.nix -A manual.x86_64-linux

When this command successfully finishes, it will tell you where the
manual got generated.