diff options
| author | Graham Christensen <graham@grahamc.com> | 2017-02-16 21:02:13 -0500 |
|---|---|---|
| committer | Graham Christensen <graham@grahamc.com> | 2017-02-24 07:41:05 -0500 |
| commit | a9c875fc2e65e80324ce1e624abd2a765ae815f8 (patch) | |
| tree | 4a9dba4d9f3086e7d341c24b942db5bb2af9689a /nixos/doc | |
| parent | d36b1ccc135fd86dd228db735ce6ef54d69cd9a1 (diff) | |
| download | nixlib-a9c875fc2e65e80324ce1e624abd2a765ae815f8.tar nixlib-a9c875fc2e65e80324ce1e624abd2a765ae815f8.tar.gz nixlib-a9c875fc2e65e80324ce1e624abd2a765ae815f8.tar.bz2 nixlib-a9c875fc2e65e80324ce1e624abd2a765ae815f8.tar.lz nixlib-a9c875fc2e65e80324ce1e624abd2a765ae815f8.tar.xz nixlib-a9c875fc2e65e80324ce1e624abd2a765ae815f8.tar.zst nixlib-a9c875fc2e65e80324ce1e624abd2a765ae815f8.zip | |
nixpkgs: allow packages to be marked insecure
If a package's meta has `knownVulnerabilities`, like so:
stdenv.mkDerivation {
name = "foobar-1.2.3";
...
meta.knownVulnerabilities = [
"CVE-0000-00000: remote code execution"
"CVE-0000-00001: local privilege escalation"
];
}
and a user attempts to install the package, they will be greeted with
a warning indicating that maybe they don't want to install it:
error: Package ‘foobar-1.2.3’ in ‘...default.nix:20’ is marked as insecure, refusing to evaluate.
Known issues:
- CVE-0000-00000: remote code execution
- CVE-0000-00001: local privilege escalation
You can install it anyway by whitelisting this package, using the
following methods:
a) for `nixos-rebuild` you can add ‘foobar-1.2.3’ to
`nixpkgs.config.permittedInsecurePackages` in the configuration.nix,
like so:
{
nixpkgs.config.permittedInsecurePackages = [
"foobar-1.2.3"
];
}
b) For `nix-env`, `nix-build`, `nix-shell` or any other Nix command you can add
‘foobar-1.2.3’ to `permittedInsecurePackages` in
~/.config/nixpkgs/config.nix, like so:
{
permittedInsecurePackages = [
"foobar-1.2.3"
];
}
Adding either of these configurations will permit this specific
version to be installed. A third option also exists:
NIXPKGS_ALLOW_INSECURE=1 nix-build ...
though I specifically avoided having a global file-based toggle to
disable this check. This way, users don't disable it once in order to
get a single package, and then don't realize future packages are
insecure.
Diffstat (limited to 'nixos/doc')
| -rw-r--r-- | nixos/doc/manual/release-notes/rl-1703.xml | 8 |
1 files changed, 8 insertions, 0 deletions
diff --git a/nixos/doc/manual/release-notes/rl-1703.xml b/nixos/doc/manual/release-notes/rl-1703.xml index 3758a3bf2aac..38693437059b 100644 --- a/nixos/doc/manual/release-notes/rl-1703.xml +++ b/nixos/doc/manual/release-notes/rl-1703.xml @@ -30,6 +30,14 @@ has the following highlights: </para> <listitem> <para>PHP now defaults to PHP 7.1</para> </listitem> + + <listitem> + <para>Packages in nixpkgs can be marked as insecure through listed + vulnerabilities. See the <link + xlink:href="https://nixos.org/nixpkgs/manual/#sec-allow-insecure">Nixpkgs + manual</link> for more information.</para> + </listitem> + </itemizedlist> <para>The following new services were added since the last release:</para> |