1
0
Fork 1
mirror of https://github.com/NixOS/nixpkgs.git synced 2024-11-27 08:01:14 +00:00
nixpkgs/pkgs/stdenv
Graham Christensen a9c875fc2e
nixpkgs: allow packages to be marked insecure
If a package's meta has `knownVulnerabilities`, like so:

    stdenv.mkDerivation {
      name = "foobar-1.2.3";

      ...

      meta.knownVulnerabilities = [
        "CVE-0000-00000: remote code execution"
        "CVE-0000-00001: local privilege escalation"
      ];
    }

and a user attempts to install the package, they will be greeted with
a warning indicating that maybe they don't want to install it:

    error: Package ‘foobar-1.2.3’ in ‘...default.nix:20’ is marked as insecure, refusing to evaluate.

    Known issues:

     - CVE-0000-00000: remote code execution
     - CVE-0000-00001: local privilege escalation

    You can install it anyway by whitelisting this package, using the
    following methods:

    a) for `nixos-rebuild` you can add ‘foobar-1.2.3’ to
       `nixpkgs.config.permittedInsecurePackages` in the configuration.nix,
       like so:

         {
           nixpkgs.config.permittedInsecurePackages = [
             "foobar-1.2.3"
           ];
         }

    b) For `nix-env`, `nix-build`, `nix-shell` or any other Nix command you can add
    ‘foobar-1.2.3’ to `permittedInsecurePackages` in
    ~/.config/nixpkgs/config.nix, like so:

         {
           permittedInsecurePackages = [
             "foobar-1.2.3"
           ];
         }

Adding either of these configurations will permit this specific
version to be installed. A third option also exists:

  NIXPKGS_ALLOW_INSECURE=1 nix-build ...

though I specifically avoided having a global file-based toggle to
disable this check. This way, users don't disable it once in order to
get a single package, and then don't realize future packages are
insecure.
2017-02-24 07:41:05 -05:00
..
cross cross stdenv: let build package's build deps resolve to native packages 2017-02-05 12:01:53 -05:00
custom top-level: Lay the groundwork for {build,host,target}Platform 2017-01-24 11:37:56 -05:00
cygwin Allow not rebasing in cygwin stdenv. 2016-05-20 17:17:10 +02:00
darwin top-level: Lay the groundwork for {build,host,target}Platform 2017-01-24 11:37:56 -05:00
freebsd top-level: Lay the groundwork for {build,host,target}Platform 2017-01-24 11:37:56 -05:00
generic nixpkgs: allow packages to be marked insecure 2017-02-24 07:41:05 -05:00
linux make-bootstrap-tools{,-cross}.nix: Fix build after binutils changes 2017-02-04 23:39:25 +02:00
native top-level: Lay the groundwork for {build,host,target}Platform 2017-01-24 11:37:56 -05:00
nix top-level: Lay the groundwork for {build,host,target}Platform 2017-01-24 11:37:56 -05:00
adapters.nix ~/.nixpkgs -> ~/.config/nixpkgs 2017-02-01 16:07:55 +01:00
booter.nix top-level: Only splice as needed for performance 2017-01-24 11:37:56 -05:00
common-path.nix bzip2: split into multiple outputs, refactor 2015-04-18 19:32:52 +02:00
default.nix stdenv: Bringup aarch64 architecture support 2017-01-25 00:01:51 +02:00