mirrors/nixpkgs
1
0
Fork 1
mirror of https://github.com/NixOS/nixpkgs.git synced 2024-11-22 05:31:22 +00:00
Code Issues Wiki Activity
Nix Packages collection
101246 commits 319 branches 124 tags 6.6 GiB
Nix 96.2%
Shell 1.6%
Python 1.1%
Perl 0.2%
C 0.2%
Other 0.2%
Go to file
Graham Christensen 38771badd3
nixpkgs: allow packages to be marked insecure 
If a package's meta has `knownVulnerabilities`, like so:

    stdenv.mkDerivation {
      name = "foobar-1.2.3";

      ...

      meta.knownVulnerabilities = [
        "CVE-0000-00000: remote code execution"
        "CVE-0000-00001: local privilege escalation"
      ];
    }

and a user attempts to install the package, they will be greeted with
a warning indicating that maybe they don't want to install it:

    error: Package ‘foobar-1.2.3’ in ‘...default.nix:20’ is marked as insecure, refusing to evaluate.

    Known issues:

     - CVE-0000-00000: remote code execution
     - CVE-0000-00001: local privilege escalation

    You can install it anyway by whitelisting this package, using the
    following methods:

    a) for `nixos-rebuild` you can add ‘foobar-1.2.3’ to
       `nixpkgs.config.permittedInsecurePackages` in the configuration.nix,
       like so:

         {
           nixpkgs.config.permittedInsecurePackages = [
             "foobar-1.2.3"
           ];
         }

    b) For `nix-env`, `nix-build`, `nix-shell` or any other Nix command you can add
    ‘foobar-1.2.3’ to `permittedInsecurePackages` in
    ~/.config/nixpkgs/config.nix, like so:

         {
           permittedInsecurePackages = [
             "foobar-1.2.3"
           ];
         }

Adding either of these configurations will permit this specific
version to be installed. A third option also exists:

  NIXPKGS_ALLOW_INSECURE=1 nix-build ...

though I specifically avoided having a global file-based toggle to
disable this check. This way, users don't disable it once in order to
get a single package, and then don't realize future packages are
insecure.
2017-02-17 20:49:49 -05:00
.github CONTRIBUTING.md: improve commit message guidelines 2017-02-06 22:26:32 +02:00
doc Merge branch 'master' into staging 2017-02-09 08:42:04 +01:00
lib pypandoc: 1.2.0 (broken) -> 1.3.3 (#22782) 2017-02-15 15:28:23 +00:00
maintainers Add a script to get failures for hydra eval /cc @globin 2017-01-28 22:29:15 +01:00
nixos Revert "nginx: Format the config file" 2017-02-16 22:45:00 +01:00
pkgs nixpkgs: allow packages to be marked insecure 2017-02-17 20:49:49 -05:00
.editorconfig Do not trim trailing whitespace in patch files 2017-01-12 23:44:26 +01:00
.gitignore
.mention-bot include me in mention bot for darwin 2016-12-09 21:19:32 +01:00
.travis.yml travis: also evaluate nixpkgs-unstable 2016-12-15 22:43:14 +01:00
.version
COPYING Time passing by 2017-01-01 21:35:52 +01:00
default.nix
README.md README: Update to 16.09 2016-10-04 17:45:24 +02:00

README.md

logo

Build Status Code Triagers Badge

Nixpkgs is a collection of packages for the Nix package manager. It is periodically built and tested by the hydra build daemon as so-called channels. To get channel information via git, add nixpkgs-channels as a remote:

% git remote add channels git://github.com/NixOS/nixpkgs-channels.git

For stability and maximum binary package support, it is recommended to maintain custom changes on top of one of the channels, e.g. nixos-16.09 for the latest release and nixos-unstable for the latest successful build of master:

% git remote update channels
% git rebase channels/nixos-16.09

For pull-requests, please rebase onto nixpkgs master.

NixOS linux distribution source code is located inside nixos/ folder.

Communication: