nixpkgs/nixos
Graham Christensen a9c875fc2e
nixpkgs: allow packages to be marked insecure
If a package's meta has `knownVulnerabilities`, like so:

    stdenv.mkDerivation {
      name = "foobar-1.2.3";

      ...

      meta.knownVulnerabilities = [
        "CVE-0000-00000: remote code execution"
        "CVE-0000-00001: local privilege escalation"
      ];
    }

and a user attempts to install the package, they will be greeted with
a warning indicating that maybe they don't want to install it:

    error: Package ‘foobar-1.2.3’ in ‘...default.nix:20’ is marked as insecure, refusing to evaluate.

    Known issues:

     - CVE-0000-00000: remote code execution
     - CVE-0000-00001: local privilege escalation

    You can install it anyway by whitelisting this package, using the
    following methods:

    a) for `nixos-rebuild` you can add ‘foobar-1.2.3’ to
       `nixpkgs.config.permittedInsecurePackages` in the configuration.nix,
       like so:

         {
           nixpkgs.config.permittedInsecurePackages = [
             "foobar-1.2.3"
           ];
         }

    b) For `nix-env`, `nix-build`, `nix-shell` or any other Nix command you can add
    ‘foobar-1.2.3’ to `permittedInsecurePackages` in
    ~/.config/nixpkgs/config.nix, like so:

         {
           permittedInsecurePackages = [
             "foobar-1.2.3"
           ];
         }

Adding either of these configurations will permit this specific
version to be installed. A third option also exists:

  NIXPKGS_ALLOW_INSECURE=1 nix-build ...

though I specifically avoided having a global file-based toggle to
disable this check. This way, users don't disable it once in order to
get a single package, and then don't realize future packages are
insecure.
2017-02-24 07:41:05 -05:00
..
doc/manual nixpkgs: allow packages to be marked insecure 2017-02-24 07:41:05 -05:00
lib make-disk-image.nix: support additional filesystem contents 2017-02-22 23:49:49 +00:00
maintainers make-disk-image.nix: support additional filesystem contents 2017-02-22 23:49:49 +00:00
modules Merge pull request #23109 from dtzWill/update/neo4j 2017-02-23 19:02:32 +01:00
tests Merge pull request #22822 from Mic92/iputils 2017-02-22 00:37:13 +01:00
COPYING
default.nix
README
release-combined.nix nixos: drop references to kde4 2017-02-11 14:01:13 -05:00
release-small.nix nixos/release-small.nix: cleanup to use default versions 2017-01-27 15:33:54 +01:00
release.nix pam_oath: require OATH and pam_unix credentials to be valid 2017-02-12 18:27:11 -05:00

*** NixOS ***

NixOS is a Linux distribution based on the purely functional package
management system Nix.  More information can be found at
http://nixos.org/nixos and in the manual in doc/manual.