colin/nixpkgs
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
mirror of https://github.com/nixos/nixpkgs
101,841 Commits 124 Branches 0 Tags 3.3 GiB
Nix 95.6%
Shell 1.9%
Python 1.2%
Perl 0.3%
C 0.2%
Other 0.3%
a9c875fc2e
Go to file
Graham Christensen a9c875fc2e
nixpkgs: allow packages to be marked insecure 
If a package's meta has `knownVulnerabilities`, like so:

    stdenv.mkDerivation {
      name = "foobar-1.2.3";

      ...

      meta.knownVulnerabilities = [
        "CVE-0000-00000: remote code execution"
        "CVE-0000-00001: local privilege escalation"
      ];
    }

and a user attempts to install the package, they will be greeted with
a warning indicating that maybe they don't want to install it:

    error: Package ‘foobar-1.2.3’ in ‘...default.nix:20’ is marked as insecure, refusing to evaluate.

    Known issues:

     - CVE-0000-00000: remote code execution
     - CVE-0000-00001: local privilege escalation

    You can install it anyway by whitelisting this package, using the
    following methods:

    a) for `nixos-rebuild` you can add ‘foobar-1.2.3’ to
       `nixpkgs.config.permittedInsecurePackages` in the configuration.nix,
       like so:

         {
           nixpkgs.config.permittedInsecurePackages = [
             "foobar-1.2.3"
           ];
         }

    b) For `nix-env`, `nix-build`, `nix-shell` or any other Nix command you can add
    ‘foobar-1.2.3’ to `permittedInsecurePackages` in
    ~/.config/nixpkgs/config.nix, like so:

         {
           permittedInsecurePackages = [
             "foobar-1.2.3"
           ];
         }

Adding either of these configurations will permit this specific
version to be installed. A third option also exists:

  NIXPKGS_ALLOW_INSECURE=1 nix-build ...

though I specifically avoided having a global file-based toggle to
disable this check. This way, users don't disable it once in order to
get a single package, and then don't realize future packages are
insecure.
2017-02-24 07:41:05 -05:00
.github CONTRIBUTING.md: improve commit message guidelines 2017-02-06 22:26:32 +02:00
doc nixpkgs: allow packages to be marked insecure 2017-02-24 07:41:05 -05:00
lib ndpi: init at 1.8 2017-02-22 00:20:10 -08:00
maintainers Add a script to get failures for hydra eval /cc @globin 2017-01-28 22:29:15 +01:00
nixos nixpkgs: allow packages to be marked insecure 2017-02-24 07:41:05 -05:00
pkgs nixpkgs: allow packages to be marked insecure 2017-02-24 07:41:05 -05:00
.editorconfig Do not trim trailing whitespace in patch files 2017-01-12 23:44:26 +01:00
.gitignore kde5: consolidate packages into desktops/kde-5 2016-03-01 10:36:00 -06:00
.mention-bot include me in mention bot for darwin 2016-12-09 21:19:32 +01:00
.travis.yml travis: also evaluate nixpkgs-unstable 2016-12-15 22:43:14 +01:00
.version unstable is now 17.03 2016-09-02 08:47:21 +02:00
COPYING Time passing by 2017-01-01 21:35:52 +01:00
default.nix Separate fix-point from config importing hacks and other impurities 2016-07-14 14:33:23 -07:00
README.md README: Update to 16.09 2016-10-04 17:45:24 +02:00

README.md

logo

Build Status Code Triagers Badge

Nixpkgs is a collection of packages for the Nix package manager. It is periodically built and tested by the hydra build daemon as so-called channels. To get channel information via git, add nixpkgs-channels as a remote:

% git remote add channels git://github.com/NixOS/nixpkgs-channels.git

For stability and maximum binary package support, it is recommended to maintain custom changes on top of one of the channels, e.g. nixos-16.09 for the latest release and nixos-unstable for the latest successful build of master:

% git remote update channels
% git rebase channels/nixos-16.09

For pull-requests, please rebase onto nixpkgs master.

NixOS linux distribution source code is located inside nixos/ folder.

Communication: