2014-02-04 17:18:38 +01:00
|
|
|
|
let lib = import ../../../lib; in lib.makeOverridable (
|
|
|
|
|
|
2014-12-17 19:11:30 +01:00
|
|
|
|
{ system, name ? "stdenv", preHook ? "", initialPath, cc, shell
|
2016-12-19 17:10:47 +01:00
|
|
|
|
, allowedRequisites ? null, extraAttrs ? {}, overrides ? (self: super: {}), config
|
2009-02-02 16:03:38 +01:00
|
|
|
|
|
|
|
|
|
, # The `fetchurl' to use for downloading curl and its dependencies
|
|
|
|
|
# (see all-packages.nix).
|
|
|
|
|
fetchurlBoot
|
2014-02-04 17:18:38 +01:00
|
|
|
|
|
|
|
|
|
, setupScript ? ./setup.sh
|
|
|
|
|
|
|
|
|
|
, extraBuildInputs ? []
|
2015-06-12 02:58:26 +02:00
|
|
|
|
, __stdenvImpureHostDeps ? []
|
|
|
|
|
, __extraImpureHostDeps ? []
|
2015-11-21 21:06:41 +01:00
|
|
|
|
, stdenvSandboxProfile ? ""
|
|
|
|
|
, extraSandboxProfile ? ""
|
2004-07-02 12:05:53 +02:00
|
|
|
|
}:
|
|
|
|
|
|
2009-04-25 16:08:29 +02:00
|
|
|
|
let
|
|
|
|
|
|
2014-04-09 00:12:48 +02:00
|
|
|
|
allowUnfree = config.allowUnfree or false || builtins.getEnv "NIXPKGS_ALLOW_UNFREE" == "1";
|
2012-08-22 21:21:10 +02:00
|
|
|
|
|
2015-01-29 10:38:33 +01:00
|
|
|
|
whitelist = config.whitelistedLicenses or [];
|
|
|
|
|
blacklist = config.blacklistedLicenses or [];
|
|
|
|
|
|
2015-06-18 19:03:32 +02:00
|
|
|
|
ifDarwin = attrs: if system == "x86_64-darwin" then attrs else {};
|
|
|
|
|
|
2015-01-29 10:38:33 +01:00
|
|
|
|
onlyLicenses = list:
|
|
|
|
|
lib.lists.all (license:
|
|
|
|
|
let l = lib.licenses.${license.shortName or "BROKEN"} or false; in
|
|
|
|
|
if license == l then true else
|
2015-08-27 12:10:56 +02:00
|
|
|
|
throw ''‘${showLicense license}’ is not an attribute of lib.licenses''
|
2015-01-29 10:38:33 +01:00
|
|
|
|
) list;
|
|
|
|
|
|
|
|
|
|
mutuallyExclusive = a: b:
|
|
|
|
|
(builtins.length a) == 0 ||
|
|
|
|
|
(!(builtins.elem (builtins.head a) b) &&
|
|
|
|
|
mutuallyExclusive (builtins.tail a) b);
|
|
|
|
|
|
|
|
|
|
areLicenseListsValid =
|
|
|
|
|
if mutuallyExclusive whitelist blacklist then
|
|
|
|
|
assert onlyLicenses whitelist; assert onlyLicenses blacklist; true
|
|
|
|
|
else
|
|
|
|
|
throw "whitelistedLicenses and blacklistedLicenses are not mutually exclusive.";
|
|
|
|
|
|
|
|
|
|
hasLicense = attrs:
|
2016-10-22 02:10:38 +02:00
|
|
|
|
attrs ? meta.license;
|
2015-01-29 10:38:33 +01:00
|
|
|
|
|
|
|
|
|
hasWhitelistedLicense = assert areLicenseListsValid; attrs:
|
|
|
|
|
hasLicense attrs && builtins.elem attrs.meta.license whitelist;
|
2015-01-21 21:41:34 +01:00
|
|
|
|
|
2015-01-29 10:38:33 +01:00
|
|
|
|
hasBlacklistedLicense = assert areLicenseListsValid; attrs:
|
|
|
|
|
hasLicense attrs && builtins.elem attrs.meta.license blacklist;
|
|
|
|
|
|
|
|
|
|
allowBroken = config.allowBroken or false || builtins.getEnv "NIXPKGS_ALLOW_BROKEN" == "1";
|
|
|
|
|
|
|
|
|
|
isUnfree = licenses: lib.lists.any (l:
|
|
|
|
|
!l.free or true || l == "unfree" || l == "unfree-redistributable") licenses;
|
2015-01-21 21:41:34 +01:00
|
|
|
|
|
2014-06-14 11:01:12 +02:00
|
|
|
|
# Alow granular checks to allow only some unfree packages
|
|
|
|
|
# Example:
|
|
|
|
|
# {pkgs, ...}:
|
|
|
|
|
# {
|
|
|
|
|
# allowUnfree = false;
|
2014-06-25 16:51:18 +02:00
|
|
|
|
# allowUnfreePredicate = (x: pkgs.lib.hasPrefix "flashplayer-" x.name);
|
2014-06-14 11:01:12 +02:00
|
|
|
|
# }
|
|
|
|
|
allowUnfreePredicate = config.allowUnfreePredicate or (x: false);
|
|
|
|
|
|
2015-01-29 10:38:33 +01:00
|
|
|
|
# Check whether unfree packages are allowed and if not, whether the
|
|
|
|
|
# package has an unfree license and is not explicitely allowed by the
|
|
|
|
|
# `allowUNfreePredicate` function.
|
|
|
|
|
hasDeniedUnfreeLicense = attrs:
|
|
|
|
|
!allowUnfree &&
|
|
|
|
|
hasLicense attrs &&
|
|
|
|
|
isUnfree (lib.lists.toList attrs.meta.license) &&
|
|
|
|
|
!allowUnfreePredicate attrs;
|
2014-04-30 23:41:16 +02:00
|
|
|
|
|
nixpkgs: allow packages to be marked insecure
If a package's meta has `knownVulnerabilities`, like so:
stdenv.mkDerivation {
name = "foobar-1.2.3";
...
meta.knownVulnerabilities = [
"CVE-0000-00000: remote code execution"
"CVE-0000-00001: local privilege escalation"
];
}
and a user attempts to install the package, they will be greeted with
a warning indicating that maybe they don't want to install it:
error: Package ‘foobar-1.2.3’ in ‘...default.nix:20’ is marked as insecure, refusing to evaluate.
Known issues:
- CVE-0000-00000: remote code execution
- CVE-0000-00001: local privilege escalation
You can install it anyway by whitelisting this package, using the
following methods:
a) for `nixos-rebuild` you can add ‘foobar-1.2.3’ to
`nixpkgs.config.permittedInsecurePackages` in the configuration.nix,
like so:
{
nixpkgs.config.permittedInsecurePackages = [
"foobar-1.2.3"
];
}
b) For `nix-env`, `nix-build`, `nix-shell` or any other Nix command you can add
‘foobar-1.2.3’ to `permittedInsecurePackages` in
~/.config/nixpkgs/config.nix, like so:
{
permittedInsecurePackages = [
"foobar-1.2.3"
];
}
Adding either of these configurations will permit this specific
version to be installed. A third option also exists:
NIXPKGS_ALLOW_INSECURE=1 nix-build ...
though I specifically avoided having a global file-based toggle to
disable this check. This way, users don't disable it once in order to
get a single package, and then don't realize future packages are
insecure.
2017-02-17 03:02:13 +01:00
|
|
|
|
allowInsecureDefaultPredicate = x: builtins.elem x.name (config.permittedInsecurePackages or []);
|
|
|
|
|
allowInsecurePredicate = x: (config.allowUnfreePredicate or allowInsecureDefaultPredicate) x;
|
|
|
|
|
|
|
|
|
|
hasAllowedInsecure = attrs:
|
|
|
|
|
(attrs.meta.knownVulnerabilities or []) == [] ||
|
|
|
|
|
allowInsecurePredicate attrs ||
|
|
|
|
|
builtins.getEnv "NIXPKGS_ALLOW_INSECURE" == "1";
|
|
|
|
|
|
2015-08-27 12:10:56 +02:00
|
|
|
|
showLicense = license: license.shortName or "unknown";
|
|
|
|
|
|
2014-11-06 12:10:28 +01:00
|
|
|
|
defaultNativeBuildInputs = extraBuildInputs ++
|
2014-07-08 14:26:35 +02:00
|
|
|
|
[ ../../build-support/setup-hooks/move-docs.sh
|
|
|
|
|
../../build-support/setup-hooks/compress-man-pages.sh
|
2014-06-27 13:33:05 +02:00
|
|
|
|
../../build-support/setup-hooks/strip.sh
|
|
|
|
|
../../build-support/setup-hooks/patch-shebangs.sh
|
2014-08-30 08:27:43 +02:00
|
|
|
|
../../build-support/setup-hooks/multiple-outputs.sh
|
2014-10-07 14:43:56 +02:00
|
|
|
|
../../build-support/setup-hooks/move-sbin.sh
|
2014-10-07 15:04:13 +02:00
|
|
|
|
../../build-support/setup-hooks/move-lib64.sh
|
2016-01-05 15:32:59 +01:00
|
|
|
|
../../build-support/setup-hooks/set-source-date-epoch-to-latest.sh
|
2014-12-17 19:11:30 +01:00
|
|
|
|
cc
|
2014-06-27 13:33:05 +02:00
|
|
|
|
];
|
|
|
|
|
|
2016-09-18 11:20:53 +02:00
|
|
|
|
# `mkDerivation` wraps the builtin `derivation` function to
|
|
|
|
|
# produce derivations that use this stdenv and its shell.
|
|
|
|
|
#
|
|
|
|
|
# See also:
|
|
|
|
|
#
|
|
|
|
|
# * https://nixos.org/nixpkgs/manual/#sec-using-stdenv
|
|
|
|
|
# Details on how to use this mkDerivation function
|
|
|
|
|
#
|
|
|
|
|
# * https://nixos.org/nix/manual/#ssec-derivation
|
|
|
|
|
# Explanation about derivations in general
|
2015-03-06 16:42:06 +01:00
|
|
|
|
mkDerivation =
|
|
|
|
|
{ buildInputs ? []
|
|
|
|
|
, nativeBuildInputs ? []
|
|
|
|
|
, propagatedBuildInputs ? []
|
|
|
|
|
, propagatedNativeBuildInputs ? []
|
|
|
|
|
, crossConfig ? null
|
|
|
|
|
, meta ? {}
|
|
|
|
|
, passthru ? {}
|
2015-03-27 16:11:18 +01:00
|
|
|
|
, pos ? null # position used in error messages and for meta.position
|
2015-09-17 15:24:32 +02:00
|
|
|
|
, separateDebugInfo ? false
|
|
|
|
|
, outputs ? [ "out" ]
|
|
|
|
|
, __impureHostDeps ? []
|
|
|
|
|
, __propagatedImpureHostDeps ? []
|
2015-11-21 21:06:41 +01:00
|
|
|
|
, sandboxProfile ? ""
|
|
|
|
|
, propagatedSandboxProfile ? ""
|
2015-03-06 16:42:06 +01:00
|
|
|
|
, ... } @ attrs:
|
top-level: Introduce `buildPackages` for resolving build-time deps
[N.B., this package also applies to the commits that follow it in the same
PR.]
In most cases, buildPackages = pkgs so things work just as before. For
cross compiling, however, buildPackages is resolved as the previous
bootstrapping stage. This allows us to avoid the mkDerivation hacks cross
compiling currently uses today.
To avoid a massive refactor, callPackage will splice together both package
sets. Again to avoid churn, it uses the old `nativeDrv` vs `crossDrv` to do
so. So now, whether cross compiling or not, packages with get a `nativeDrv`
and `crossDrv`---in the non-cross-compiling case they are simply the same
derivation. This is good because it reduces the divergence between the
cross and non-cross dataflow. See `pkgs/top-level/splice.nix` for a comment
along the lines of the preceding paragraph, and the code that does this
splicing.
Also, `forceNativeDrv` is replaced with `forceNativePackages`. The latter
resolves `pkgs` unless the host platform is different from the build
platform, in which case it resolves to `buildPackages`. Note that the
target platform is not important here---it will not prevent
`forcedNativePackages` from resolving to `pkgs`.
--------
Temporarily, we make preserve some dubious decisions in the name of preserving
hashes:
Most importantly, we don't distinguish between "host" and "target" in the
autoconf sense. This leads to the proliferation of *Cross derivations
currently used. What we ought to is resolve native deps of the cross "build
packages" (build = host != target) package set against the "vanilla
packages" (build = host = target) package set. Instead, "build packages"
uses itself, with (informally) target != build in all cases.
This is wrong because it violates the "sliding window" principle of
bootstrapping stages that shifting the platform triple of one stage to the
left coincides with the next stage's platform triple. Only because we don't
explicitly distinguish between "host" and "target" does it appear that the
"sliding window" principle is preserved--indeed it is over the reductionary
"platform double" of just "build" and "host/target".
Additionally, we build libc, libgcc, etc in the same stage as the compilers
themselves, which is wrong because they are used at runtime, not build
time. Fixing this is somewhat subtle, and the solution and problem will be
better explained in the commit that does fix it.
Commits after this will solve both these issues, at the expense of breaking
cross hashes. Native hashes won't be broken, thankfully.
--------
Did the temporary ugliness pan out? Of the packages that currently build in
`release-cross.nix`, the only ones that have their hash changed are
`*.gcc.crossDrv` and `bootstrapTools.*.coreutilsMinimal`. In both cases I
think it doesn't matter.
1. GCC when doing a `build = host = target = foreign` build (maximally
cross), still defines environment variables like `CPATH`[1] with
packages. This seems assuredly wrong because whether gcc dynamically
links those, or the programs built by gcc dynamically link those---I
have no idea which case is reality---they should be foreign. Therefore,
in all likelihood, I just made the gcc less broken.
2. Coreutils (ab)used the old cross-compiling infrastructure to depend on
a native version of itself. When coreutils was overwritten to be built
with fewer features, the native version it used would also be
overwritten because the binding was tight. Now it uses the much looser
`BuildPackages.coreutils` which is just fine as a richer build dep
doesn't cause any problems and avoids a rebuild.
So, in conclusion I'd say the conservatism payed off. Onward to actually
raking the muck in the next PR!
[1]: https://gcc.gnu.org/onlinedocs/gcc/Environment-Variables.html
2016-12-18 08:51:18 +01:00
|
|
|
|
let # Rename argumemnts to avoid cycles
|
|
|
|
|
buildInputs__ = buildInputs;
|
|
|
|
|
nativeBuildInputs__ = nativeBuildInputs;
|
|
|
|
|
propagatedBuildInputs__ = propagatedBuildInputs;
|
|
|
|
|
propagatedNativeBuildInputs__ = propagatedNativeBuildInputs;
|
|
|
|
|
in let
|
|
|
|
|
getNativeDrv = drv: drv.nativeDrv or drv;
|
|
|
|
|
getCrossDrv = drv: drv.crossDrv or drv;
|
|
|
|
|
nativeBuildInputs = map getNativeDrv nativeBuildInputs__;
|
|
|
|
|
buildInputs = map getCrossDrv buildInputs__;
|
|
|
|
|
propagatedBuildInputs = map getCrossDrv propagatedBuildInputs__;
|
|
|
|
|
propagatedNativeBuildInputs = map getNativeDrv propagatedNativeBuildInputs__;
|
|
|
|
|
in let
|
2015-03-27 16:11:18 +01:00
|
|
|
|
pos' =
|
|
|
|
|
if pos != null then
|
|
|
|
|
pos
|
|
|
|
|
else if attrs.meta.description or null != null then
|
|
|
|
|
builtins.unsafeGetAttrPos "description" attrs.meta
|
2014-07-01 16:43:52 +02:00
|
|
|
|
else
|
2015-03-27 16:11:18 +01:00
|
|
|
|
builtins.unsafeGetAttrPos "name" attrs;
|
|
|
|
|
pos'' = if pos' != null then "‘" + pos'.file + ":" + toString pos'.line + "’" else "«unknown-file»";
|
2015-01-07 17:27:29 +01:00
|
|
|
|
|
2015-01-29 10:38:33 +01:00
|
|
|
|
|
nixpkgs: allow packages to be marked insecure
If a package's meta has `knownVulnerabilities`, like so:
stdenv.mkDerivation {
name = "foobar-1.2.3";
...
meta.knownVulnerabilities = [
"CVE-0000-00000: remote code execution"
"CVE-0000-00001: local privilege escalation"
];
}
and a user attempts to install the package, they will be greeted with
a warning indicating that maybe they don't want to install it:
error: Package ‘foobar-1.2.3’ in ‘...default.nix:20’ is marked as insecure, refusing to evaluate.
Known issues:
- CVE-0000-00000: remote code execution
- CVE-0000-00001: local privilege escalation
You can install it anyway by whitelisting this package, using the
following methods:
a) for `nixos-rebuild` you can add ‘foobar-1.2.3’ to
`nixpkgs.config.permittedInsecurePackages` in the configuration.nix,
like so:
{
nixpkgs.config.permittedInsecurePackages = [
"foobar-1.2.3"
];
}
b) For `nix-env`, `nix-build`, `nix-shell` or any other Nix command you can add
‘foobar-1.2.3’ to `permittedInsecurePackages` in
~/.config/nixpkgs/config.nix, like so:
{
permittedInsecurePackages = [
"foobar-1.2.3"
];
}
Adding either of these configurations will permit this specific
version to be installed. A third option also exists:
NIXPKGS_ALLOW_INSECURE=1 nix-build ...
though I specifically avoided having a global file-based toggle to
disable this check. This way, users don't disable it once in order to
get a single package, and then don't realize future packages are
insecure.
2017-02-17 03:02:13 +01:00
|
|
|
|
remediation = {
|
|
|
|
|
unfree = remediate_whitelist "Unfree";
|
|
|
|
|
broken = remediate_whitelist "Broken";
|
|
|
|
|
blacklisted = x: "";
|
|
|
|
|
insecure = remediate_insecure;
|
|
|
|
|
};
|
|
|
|
|
remediate_whitelist = allow_attr: attrs:
|
|
|
|
|
''
|
2015-12-09 17:00:33 +01:00
|
|
|
|
a) For `nixos-rebuild` you can set
|
nixpkgs: allow packages to be marked insecure
If a package's meta has `knownVulnerabilities`, like so:
stdenv.mkDerivation {
name = "foobar-1.2.3";
...
meta.knownVulnerabilities = [
"CVE-0000-00000: remote code execution"
"CVE-0000-00001: local privilege escalation"
];
}
and a user attempts to install the package, they will be greeted with
a warning indicating that maybe they don't want to install it:
error: Package ‘foobar-1.2.3’ in ‘...default.nix:20’ is marked as insecure, refusing to evaluate.
Known issues:
- CVE-0000-00000: remote code execution
- CVE-0000-00001: local privilege escalation
You can install it anyway by whitelisting this package, using the
following methods:
a) for `nixos-rebuild` you can add ‘foobar-1.2.3’ to
`nixpkgs.config.permittedInsecurePackages` in the configuration.nix,
like so:
{
nixpkgs.config.permittedInsecurePackages = [
"foobar-1.2.3"
];
}
b) For `nix-env`, `nix-build`, `nix-shell` or any other Nix command you can add
‘foobar-1.2.3’ to `permittedInsecurePackages` in
~/.config/nixpkgs/config.nix, like so:
{
permittedInsecurePackages = [
"foobar-1.2.3"
];
}
Adding either of these configurations will permit this specific
version to be installed. A third option also exists:
NIXPKGS_ALLOW_INSECURE=1 nix-build ...
though I specifically avoided having a global file-based toggle to
disable this check. This way, users don't disable it once in order to
get a single package, and then don't realize future packages are
insecure.
2017-02-17 03:02:13 +01:00
|
|
|
|
{ nixpkgs.config.allow${allow_attr} = true; }
|
2015-01-07 18:31:32 +01:00
|
|
|
|
in configuration.nix to override this.
|
2015-12-09 17:00:33 +01:00
|
|
|
|
|
2016-11-16 15:14:08 +01:00
|
|
|
|
b) For `nix-env`, `nix-build`, `nix-shell` or any other Nix command you can add
|
nixpkgs: allow packages to be marked insecure
If a package's meta has `knownVulnerabilities`, like so:
stdenv.mkDerivation {
name = "foobar-1.2.3";
...
meta.knownVulnerabilities = [
"CVE-0000-00000: remote code execution"
"CVE-0000-00001: local privilege escalation"
];
}
and a user attempts to install the package, they will be greeted with
a warning indicating that maybe they don't want to install it:
error: Package ‘foobar-1.2.3’ in ‘...default.nix:20’ is marked as insecure, refusing to evaluate.
Known issues:
- CVE-0000-00000: remote code execution
- CVE-0000-00001: local privilege escalation
You can install it anyway by whitelisting this package, using the
following methods:
a) for `nixos-rebuild` you can add ‘foobar-1.2.3’ to
`nixpkgs.config.permittedInsecurePackages` in the configuration.nix,
like so:
{
nixpkgs.config.permittedInsecurePackages = [
"foobar-1.2.3"
];
}
b) For `nix-env`, `nix-build`, `nix-shell` or any other Nix command you can add
‘foobar-1.2.3’ to `permittedInsecurePackages` in
~/.config/nixpkgs/config.nix, like so:
{
permittedInsecurePackages = [
"foobar-1.2.3"
];
}
Adding either of these configurations will permit this specific
version to be installed. A third option also exists:
NIXPKGS_ALLOW_INSECURE=1 nix-build ...
though I specifically avoided having a global file-based toggle to
disable this check. This way, users don't disable it once in order to
get a single package, and then don't realize future packages are
insecure.
2017-02-17 03:02:13 +01:00
|
|
|
|
{ allow${allow_attr} = true; }
|
2017-02-01 16:03:42 +01:00
|
|
|
|
to ~/.config/nixpkgs/config.nix.
|
nixpkgs: allow packages to be marked insecure
If a package's meta has `knownVulnerabilities`, like so:
stdenv.mkDerivation {
name = "foobar-1.2.3";
...
meta.knownVulnerabilities = [
"CVE-0000-00000: remote code execution"
"CVE-0000-00001: local privilege escalation"
];
}
and a user attempts to install the package, they will be greeted with
a warning indicating that maybe they don't want to install it:
error: Package ‘foobar-1.2.3’ in ‘...default.nix:20’ is marked as insecure, refusing to evaluate.
Known issues:
- CVE-0000-00000: remote code execution
- CVE-0000-00001: local privilege escalation
You can install it anyway by whitelisting this package, using the
following methods:
a) for `nixos-rebuild` you can add ‘foobar-1.2.3’ to
`nixpkgs.config.permittedInsecurePackages` in the configuration.nix,
like so:
{
nixpkgs.config.permittedInsecurePackages = [
"foobar-1.2.3"
];
}
b) For `nix-env`, `nix-build`, `nix-shell` or any other Nix command you can add
‘foobar-1.2.3’ to `permittedInsecurePackages` in
~/.config/nixpkgs/config.nix, like so:
{
permittedInsecurePackages = [
"foobar-1.2.3"
];
}
Adding either of these configurations will permit this specific
version to be installed. A third option also exists:
NIXPKGS_ALLOW_INSECURE=1 nix-build ...
though I specifically avoided having a global file-based toggle to
disable this check. This way, users don't disable it once in order to
get a single package, and then don't realize future packages are
insecure.
2017-02-17 03:02:13 +01:00
|
|
|
|
'';
|
|
|
|
|
|
|
|
|
|
remediate_insecure = attrs:
|
|
|
|
|
''
|
|
|
|
|
|
|
|
|
|
Known issues:
|
|
|
|
|
|
|
|
|
|
'' + (lib.fold (issue: default: "${default} - ${issue}\n") "" attrs.meta.knownVulnerabilities) + ''
|
|
|
|
|
|
|
|
|
|
You can install it anyway by whitelisting this package, using the
|
|
|
|
|
following methods:
|
|
|
|
|
|
|
|
|
|
a) for `nixos-rebuild` you can add ‘${attrs.name or "«name-missing»"}’ to
|
|
|
|
|
`nixpkgs.config.permittedInsecurePackages` in the configuration.nix,
|
|
|
|
|
like so:
|
|
|
|
|
|
|
|
|
|
{
|
|
|
|
|
nixpkgs.config.permittedInsecurePackages = [
|
|
|
|
|
"${attrs.name or "«name-missing»"}"
|
|
|
|
|
];
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
b) For `nix-env`, `nix-build`, `nix-shell` or any other Nix command you can add
|
|
|
|
|
‘${attrs.name or "«name-missing»"}’ to `permittedInsecurePackages` in
|
|
|
|
|
~/.config/nixpkgs/config.nix, like so:
|
|
|
|
|
|
|
|
|
|
{
|
|
|
|
|
permittedInsecurePackages = [
|
|
|
|
|
"${attrs.name or "«name-missing»"}"
|
|
|
|
|
];
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
'';
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
throwEvalHelp = { reason , errormsg ? "" }:
|
|
|
|
|
throw (''
|
|
|
|
|
Package ‘${attrs.name or "«name-missing»"}’ in ${pos''} ${errormsg}, refusing to evaluate.
|
|
|
|
|
|
|
|
|
|
'' + ((builtins.getAttr reason remediation) attrs));
|
2015-01-29 10:38:33 +01:00
|
|
|
|
|
2015-11-27 20:49:26 +01:00
|
|
|
|
# Check if a derivation is valid, that is whether it passes checks for
|
|
|
|
|
# e.g brokenness or license.
|
|
|
|
|
#
|
|
|
|
|
# Return { valid: Bool } and additionally
|
|
|
|
|
# { reason: String; errormsg: String } if it is not valid, where
|
|
|
|
|
# reason is one of "unfree", "blacklisted" or "broken".
|
|
|
|
|
checkValidity = attrs:
|
2015-01-29 10:38:33 +01:00
|
|
|
|
if hasDeniedUnfreeLicense attrs && !(hasWhitelistedLicense attrs) then
|
2015-11-27 20:49:26 +01:00
|
|
|
|
{ valid = false; reason = "unfree"; errormsg = "has an unfree license (‘${showLicense attrs.meta.license}’)"; }
|
2015-01-29 10:38:33 +01:00
|
|
|
|
else if hasBlacklistedLicense attrs then
|
2015-11-27 20:49:26 +01:00
|
|
|
|
{ valid = false; reason = "blacklisted"; errormsg = "has a blacklisted license (‘${showLicense attrs.meta.license}’)"; }
|
2015-01-29 10:38:33 +01:00
|
|
|
|
else if !allowBroken && attrs.meta.broken or false then
|
2015-11-27 20:49:26 +01:00
|
|
|
|
{ valid = false; reason = "broken"; errormsg = "is marked as broken"; }
|
2015-01-29 10:46:35 +01:00
|
|
|
|
else if !allowBroken && attrs.meta.platforms or null != null && !lib.lists.elem result.system attrs.meta.platforms then
|
2015-11-27 20:49:26 +01:00
|
|
|
|
{ valid = false; reason = "broken"; errormsg = "is not supported on ‘${result.system}’"; }
|
nixpkgs: allow packages to be marked insecure
If a package's meta has `knownVulnerabilities`, like so:
stdenv.mkDerivation {
name = "foobar-1.2.3";
...
meta.knownVulnerabilities = [
"CVE-0000-00000: remote code execution"
"CVE-0000-00001: local privilege escalation"
];
}
and a user attempts to install the package, they will be greeted with
a warning indicating that maybe they don't want to install it:
error: Package ‘foobar-1.2.3’ in ‘...default.nix:20’ is marked as insecure, refusing to evaluate.
Known issues:
- CVE-0000-00000: remote code execution
- CVE-0000-00001: local privilege escalation
You can install it anyway by whitelisting this package, using the
following methods:
a) for `nixos-rebuild` you can add ‘foobar-1.2.3’ to
`nixpkgs.config.permittedInsecurePackages` in the configuration.nix,
like so:
{
nixpkgs.config.permittedInsecurePackages = [
"foobar-1.2.3"
];
}
b) For `nix-env`, `nix-build`, `nix-shell` or any other Nix command you can add
‘foobar-1.2.3’ to `permittedInsecurePackages` in
~/.config/nixpkgs/config.nix, like so:
{
permittedInsecurePackages = [
"foobar-1.2.3"
];
}
Adding either of these configurations will permit this specific
version to be installed. A third option also exists:
NIXPKGS_ALLOW_INSECURE=1 nix-build ...
though I specifically avoided having a global file-based toggle to
disable this check. This way, users don't disable it once in order to
get a single package, and then don't realize future packages are
insecure.
2017-02-17 03:02:13 +01:00
|
|
|
|
else if !(hasAllowedInsecure attrs) then
|
|
|
|
|
{ valid = false; reason = "insecure"; errormsg = "is marked as insecure"; }
|
2015-11-27 20:49:26 +01:00
|
|
|
|
else { valid = true; };
|
2015-01-21 21:41:34 +01:00
|
|
|
|
|
2015-09-17 15:24:32 +02:00
|
|
|
|
outputs' =
|
|
|
|
|
outputs ++
|
2015-09-22 20:21:10 +02:00
|
|
|
|
(if separateDebugInfo then assert result.isLinux; [ "debug" ] else []);
|
2015-09-17 15:24:32 +02:00
|
|
|
|
|
2016-01-23 23:18:38 +01:00
|
|
|
|
buildInputs' = lib.chooseDevOutputs buildInputs ++
|
2015-09-17 15:24:32 +02:00
|
|
|
|
(if separateDebugInfo then [ ../../build-support/setup-hooks/separate-debug-info.sh ] else []);
|
|
|
|
|
|
2016-01-23 23:18:38 +01:00
|
|
|
|
nativeBuildInputs' = lib.chooseDevOutputs nativeBuildInputs;
|
|
|
|
|
propagatedBuildInputs' = lib.chooseDevOutputs propagatedBuildInputs;
|
|
|
|
|
propagatedNativeBuildInputs' = lib.chooseDevOutputs propagatedNativeBuildInputs;
|
|
|
|
|
|
2014-07-01 16:43:52 +02:00
|
|
|
|
in
|
2015-11-27 20:49:26 +01:00
|
|
|
|
|
|
|
|
|
# Throw an error if trying to evaluate an non-valid derivation
|
|
|
|
|
assert let v = checkValidity attrs;
|
|
|
|
|
in if !v.valid
|
|
|
|
|
then throwEvalHelp (removeAttrs v ["valid"])
|
|
|
|
|
else true;
|
2015-01-29 10:38:33 +01:00
|
|
|
|
|
2014-07-01 16:43:52 +02:00
|
|
|
|
lib.addPassthru (derivation (
|
2015-06-18 19:03:32 +02:00
|
|
|
|
(removeAttrs attrs
|
|
|
|
|
["meta" "passthru" "crossAttrs" "pos"
|
2015-11-07 02:44:02 +01:00
|
|
|
|
"__impureHostDeps" "__propagatedImpureHostDeps"
|
2015-11-21 21:06:41 +01:00
|
|
|
|
"sandboxProfile" "propagatedSandboxProfile"])
|
2015-06-12 02:58:26 +02:00
|
|
|
|
// (let
|
2015-11-07 02:44:02 +01:00
|
|
|
|
computedSandboxProfile =
|
2016-01-23 23:18:38 +01:00
|
|
|
|
lib.concatMap (input: input.__propagatedSandboxProfile or []) (extraBuildInputs ++ buildInputs' ++ nativeBuildInputs');
|
2015-11-07 02:44:02 +01:00
|
|
|
|
computedPropagatedSandboxProfile =
|
2016-01-23 23:18:38 +01:00
|
|
|
|
lib.concatMap (input: input.__propagatedSandboxProfile or []) (propagatedBuildInputs' ++ propagatedNativeBuildInputs');
|
2015-09-17 15:24:32 +02:00
|
|
|
|
computedImpureHostDeps =
|
2016-01-23 23:18:38 +01:00
|
|
|
|
lib.unique (lib.concatMap (input: input.__propagatedImpureHostDeps or []) (extraBuildInputs ++ buildInputs' ++ nativeBuildInputs'));
|
2015-09-17 15:24:32 +02:00
|
|
|
|
computedPropagatedImpureHostDeps =
|
2016-01-23 23:18:38 +01:00
|
|
|
|
lib.unique (lib.concatMap (input: input.__propagatedImpureHostDeps or []) (propagatedBuildInputs' ++ propagatedNativeBuildInputs'));
|
2015-06-12 02:58:26 +02:00
|
|
|
|
in
|
2014-07-01 16:43:52 +02:00
|
|
|
|
{
|
|
|
|
|
builder = attrs.realBuilder or shell;
|
|
|
|
|
args = attrs.args or ["-e" (attrs.builder or ./default-builder.sh)];
|
|
|
|
|
stdenv = result;
|
|
|
|
|
system = result.system;
|
|
|
|
|
userHook = config.stdenv.userHook or null;
|
|
|
|
|
__ignoreNulls = true;
|
|
|
|
|
|
|
|
|
|
# Inputs built by the cross compiler.
|
2015-09-17 15:24:32 +02:00
|
|
|
|
buildInputs = if crossConfig != null then buildInputs' else [];
|
2016-01-23 23:18:38 +01:00
|
|
|
|
propagatedBuildInputs = if crossConfig != null then propagatedBuildInputs' else [];
|
2014-07-01 16:43:52 +02:00
|
|
|
|
# Inputs built by the usual native compiler.
|
2016-01-23 23:18:38 +01:00
|
|
|
|
nativeBuildInputs = nativeBuildInputs'
|
2016-02-10 21:18:34 +01:00
|
|
|
|
++ lib.optionals (crossConfig == null) buildInputs'
|
|
|
|
|
++ lib.optional
|
|
|
|
|
(result.isCygwin
|
|
|
|
|
|| (crossConfig != null && lib.hasSuffix "mingw32" crossConfig))
|
|
|
|
|
../../build-support/setup-hooks/win-dll-link.sh
|
|
|
|
|
;
|
2016-01-23 23:18:38 +01:00
|
|
|
|
propagatedNativeBuildInputs = propagatedNativeBuildInputs' ++
|
|
|
|
|
(if crossConfig == null then propagatedBuildInputs' else []);
|
2015-06-18 19:03:32 +02:00
|
|
|
|
} // ifDarwin {
|
2015-11-13 03:59:17 +01:00
|
|
|
|
# TODO: remove lib.unique once nix has a list canonicalization primitive
|
2015-11-21 21:06:41 +01:00
|
|
|
|
__sandboxProfile =
|
|
|
|
|
let profiles = [ extraSandboxProfile ] ++ computedSandboxProfile ++ computedPropagatedSandboxProfile ++ [ propagatedSandboxProfile sandboxProfile ];
|
2015-11-13 03:59:17 +01:00
|
|
|
|
final = lib.concatStringsSep "\n" (lib.filter (x: x != "") (lib.unique profiles));
|
|
|
|
|
in final;
|
2015-11-21 21:06:41 +01:00
|
|
|
|
__propagatedSandboxProfile = lib.unique (computedPropagatedSandboxProfile ++ [ propagatedSandboxProfile ]);
|
2015-06-18 06:54:29 +02:00
|
|
|
|
__impureHostDeps = computedImpureHostDeps ++ computedPropagatedImpureHostDeps ++ __propagatedImpureHostDeps ++ __impureHostDeps ++ __extraImpureHostDeps ++ [
|
2015-06-12 02:58:26 +02:00
|
|
|
|
"/dev/zero"
|
|
|
|
|
"/dev/random"
|
|
|
|
|
"/dev/urandom"
|
|
|
|
|
"/bin/sh"
|
2015-06-18 06:54:29 +02:00
|
|
|
|
];
|
2015-06-18 19:03:32 +02:00
|
|
|
|
__propagatedImpureHostDeps = computedPropagatedImpureHostDeps ++ __propagatedImpureHostDeps;
|
2015-09-17 15:24:32 +02:00
|
|
|
|
} // (if outputs' != [ "out" ] then {
|
|
|
|
|
outputs = outputs';
|
|
|
|
|
} else { })))) (
|
2014-07-01 16:43:52 +02:00
|
|
|
|
{
|
2016-08-20 04:21:32 +02:00
|
|
|
|
overrideAttrs = f: mkDerivation (attrs // (f attrs));
|
2014-07-01 16:43:52 +02:00
|
|
|
|
# The meta attribute is passed in the resulting attribute set,
|
|
|
|
|
# but it's not part of the actual derivation, i.e., it's not
|
|
|
|
|
# passed to the builder and is not a dependency. But since we
|
2016-03-14 11:56:03 +01:00
|
|
|
|
# include it in the result, it *is* available to nix-env for queries.
|
|
|
|
|
meta = { }
|
|
|
|
|
# If the packager hasn't specified `outputsToInstall`, choose a default,
|
2016-04-18 16:06:15 +02:00
|
|
|
|
# which is the name of `p.bin or p.out or p`;
|
2016-03-14 11:56:03 +01:00
|
|
|
|
# if he has specified it, it will be overridden below in `// meta`.
|
2016-03-14 12:15:58 +01:00
|
|
|
|
# Note: This default probably shouldn't be globally configurable.
|
|
|
|
|
# Services and users should specify outputs explicitly,
|
|
|
|
|
# unless they are comfortable with this default.
|
2016-03-14 11:56:03 +01:00
|
|
|
|
// { outputsToInstall =
|
|
|
|
|
let
|
|
|
|
|
outs = outputs'; # the value passed to derivation primitive
|
|
|
|
|
hasOutput = out: builtins.elem out outs;
|
|
|
|
|
in [( lib.findFirst hasOutput null (["bin" "out"] ++ outs) )];
|
|
|
|
|
}
|
|
|
|
|
// meta
|
|
|
|
|
# Fill `meta.position` to identify the source location of the package.
|
|
|
|
|
// lib.optionalAttrs (pos' != null)
|
|
|
|
|
{ position = pos'.file + ":" + toString pos'.line; }
|
|
|
|
|
;
|
2015-03-06 16:42:06 +01:00
|
|
|
|
inherit passthru;
|
2014-07-01 16:43:52 +02:00
|
|
|
|
} //
|
|
|
|
|
# Pass through extra attributes that are not inputs, but
|
|
|
|
|
# should be made available to Nix expressions using the
|
|
|
|
|
# derivation (e.g., in assertions).
|
2015-03-06 16:42:06 +01:00
|
|
|
|
passthru);
|
2014-07-01 16:43:52 +02:00
|
|
|
|
|
2014-02-04 17:18:38 +01:00
|
|
|
|
# The stdenv that we are producing.
|
|
|
|
|
result =
|
2014-08-29 22:09:01 +02:00
|
|
|
|
derivation (
|
2014-11-06 13:33:08 +01:00
|
|
|
|
(if isNull allowedRequisites then {} else { allowedRequisites = allowedRequisites ++ defaultNativeBuildInputs; }) //
|
2014-08-29 22:09:01 +02:00
|
|
|
|
{
|
2014-02-04 17:18:38 +01:00
|
|
|
|
inherit system name;
|
|
|
|
|
|
|
|
|
|
builder = shell;
|
|
|
|
|
|
|
|
|
|
args = ["-e" ./builder.sh];
|
|
|
|
|
|
|
|
|
|
setup = setupScript;
|
|
|
|
|
|
2014-11-06 12:10:28 +01:00
|
|
|
|
inherit preHook initialPath shell defaultNativeBuildInputs;
|
2015-06-18 19:03:32 +02:00
|
|
|
|
}
|
|
|
|
|
// ifDarwin {
|
2015-11-21 21:06:41 +01:00
|
|
|
|
__sandboxProfile = stdenvSandboxProfile;
|
2015-06-18 19:03:32 +02:00
|
|
|
|
__impureHostDeps = __stdenvImpureHostDeps;
|
2014-08-29 22:09:01 +02:00
|
|
|
|
})
|
2014-02-04 17:18:38 +01:00
|
|
|
|
|
|
|
|
|
// rec {
|
|
|
|
|
|
2016-08-28 16:56:31 +02:00
|
|
|
|
meta = {
|
|
|
|
|
description = "The default build environment for Unix packages in Nixpkgs";
|
|
|
|
|
platforms = lib.platforms.all;
|
|
|
|
|
};
|
2014-02-04 17:18:38 +01:00
|
|
|
|
|
|
|
|
|
# Utility flags to test the type of platform.
|
2014-02-04 17:34:15 +01:00
|
|
|
|
isDarwin = system == "x86_64-darwin";
|
|
|
|
|
isLinux = system == "i686-linux"
|
|
|
|
|
|| system == "x86_64-linux"
|
|
|
|
|
|| system == "powerpc-linux"
|
|
|
|
|
|| system == "armv5tel-linux"
|
|
|
|
|
|| system == "armv6l-linux"
|
|
|
|
|
|| system == "armv7l-linux"
|
2016-02-04 23:47:23 +01:00
|
|
|
|
|| system == "aarch64-linux"
|
2014-02-04 17:34:15 +01:00
|
|
|
|
|| system == "mips64el-linux";
|
|
|
|
|
isGNU = system == "i686-gnu"; # GNU/Hurd
|
|
|
|
|
isGlibc = isGNU # useful for `stdenvNative'
|
2014-02-04 17:18:38 +01:00
|
|
|
|
|| isLinux
|
2014-02-04 17:34:15 +01:00
|
|
|
|
|| system == "x86_64-kfreebsd-gnu";
|
|
|
|
|
isSunOS = system == "i686-solaris"
|
|
|
|
|
|| system == "x86_64-solaris";
|
2014-05-29 14:47:07 +02:00
|
|
|
|
isCygwin = system == "i686-cygwin"
|
|
|
|
|
|| system == "x86_64-cygwin";
|
2014-02-04 17:34:15 +01:00
|
|
|
|
isFreeBSD = system == "i686-freebsd"
|
2015-02-25 04:15:51 +01:00
|
|
|
|
|| system == "x86_64-freebsd";
|
2014-02-04 17:34:15 +01:00
|
|
|
|
isOpenBSD = system == "i686-openbsd"
|
2015-02-25 04:15:51 +01:00
|
|
|
|
|| system == "x86_64-openbsd";
|
2014-02-04 17:34:15 +01:00
|
|
|
|
isi686 = system == "i686-linux"
|
|
|
|
|
|| system == "i686-gnu"
|
|
|
|
|
|| system == "i686-freebsd"
|
|
|
|
|
|| system == "i686-openbsd"
|
2015-05-26 15:18:49 +02:00
|
|
|
|
|| system == "i686-cygwin"
|
2014-02-04 17:34:15 +01:00
|
|
|
|
|| system == "i386-sunos";
|
|
|
|
|
isx86_64 = system == "x86_64-linux"
|
|
|
|
|
|| system == "x86_64-darwin"
|
|
|
|
|
|| system == "x86_64-freebsd"
|
|
|
|
|
|| system == "x86_64-openbsd"
|
2015-05-26 15:18:49 +02:00
|
|
|
|
|| system == "x86_64-cygwin"
|
2014-02-04 17:34:15 +01:00
|
|
|
|
|| system == "x86_64-solaris";
|
|
|
|
|
is64bit = system == "x86_64-linux"
|
|
|
|
|
|| system == "x86_64-darwin"
|
|
|
|
|
|| system == "x86_64-freebsd"
|
|
|
|
|
|| system == "x86_64-openbsd"
|
2015-05-26 15:18:49 +02:00
|
|
|
|
|| system == "x86_64-cygwin"
|
2015-04-26 00:08:05 +02:00
|
|
|
|
|| system == "x86_64-solaris"
|
2017-01-29 17:42:58 +01:00
|
|
|
|
|| system == "aarch64-linux"
|
2015-04-26 00:08:05 +02:00
|
|
|
|
|| system == "mips64el-linux";
|
2014-02-04 17:34:15 +01:00
|
|
|
|
isMips = system == "mips-linux"
|
|
|
|
|
|| system == "mips64el-linux";
|
|
|
|
|
isArm = system == "armv5tel-linux"
|
|
|
|
|
|| system == "armv6l-linux"
|
2017-03-11 14:54:24 +01:00
|
|
|
|
|| system == "armv7l-linux";
|
2016-02-04 23:47:23 +01:00
|
|
|
|
isAarch64 = system == "aarch64-linux";
|
nixos: Add system-wide option to set the hostid
The old boot.spl.hostid option was not working correctly due to an
upstream bug.
Instead, now we will create the /etc/hostid file so that all applications
(including the ZFS kernel modules, ZFS user-space applications and other
unrelated programs) pick-up the same system-wide host id. Note that glibc
(and by extension, the `hostid` program) also respect the host id configured in
/etc/hostid, if it exists.
The hostid option is now mandatory when using ZFS because otherwise, ZFS will
require you to force-import your ZFS pools if you want to use them, which is
undesirable because it disables some of the checks that ZFS does to make sure it
is safe to import a ZFS pool.
The /etc/hostid file must also exist when booting the initrd, before the SPL
kernel module is loaded, so that ZFS picks up the hostid correctly.
The complexity in creating the /etc/hostid file is due to having to
write the host ID as a 32-bit binary value, taking into account the
endianness of the machine, while using only shell commands and/or simple
utilities (to avoid exploding the size of the initrd).
2014-10-23 04:59:06 +02:00
|
|
|
|
isBigEndian = system == "powerpc-linux";
|
2014-02-04 17:18:38 +01:00
|
|
|
|
|
2014-06-30 14:26:23 +02:00
|
|
|
|
# Whether we should run paxctl to pax-mark binaries.
|
|
|
|
|
needsPax = isLinux;
|
|
|
|
|
|
2014-07-01 16:43:52 +02:00
|
|
|
|
inherit mkDerivation;
|
|
|
|
|
|
2014-02-04 17:18:38 +01:00
|
|
|
|
# For convenience, bring in the library functions in lib/ so
|
|
|
|
|
# packages don't have to do that themselves.
|
|
|
|
|
inherit lib;
|
|
|
|
|
|
|
|
|
|
inherit fetchurlBoot;
|
|
|
|
|
|
|
|
|
|
inherit overrides;
|
2014-07-01 16:17:23 +02:00
|
|
|
|
|
2014-12-17 19:11:30 +01:00
|
|
|
|
inherit cc;
|
2014-02-04 17:18:38 +01:00
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
# Propagate any extra attributes. For instance, we use this to
|
|
|
|
|
# "lift" packages like curl from the final stdenv for Linux to
|
|
|
|
|
# all-packages.nix for that platform (meaning that it has a line
|
|
|
|
|
# like curl = if stdenv ? curl then stdenv.curl else ...).
|
|
|
|
|
// extraAttrs;
|
|
|
|
|
|
|
|
|
|
in result)
|