diff options
author | Graham Christensen <graham@grahamc.com> | 2017-02-23 09:41:42 -0500 |
---|---|---|
committer | GitHub <noreply@github.com> | 2017-02-23 09:41:42 -0500 |
commit | 59d61ef34aae47f9fae53c4a10cc9bc1b19a6db1 (patch) | |
tree | e4d31cc795da49628e690a548d72373acde4d8c4 /pkgs/stdenv | |
parent | 274994785d9e5b1192e64af06f29d608f012c69a (diff) | |
download | nixlib-59d61ef34aae47f9fae53c4a10cc9bc1b19a6db1.tar nixlib-59d61ef34aae47f9fae53c4a10cc9bc1b19a6db1.tar.gz nixlib-59d61ef34aae47f9fae53c4a10cc9bc1b19a6db1.tar.bz2 nixlib-59d61ef34aae47f9fae53c4a10cc9bc1b19a6db1.tar.lz nixlib-59d61ef34aae47f9fae53c4a10cc9bc1b19a6db1.tar.xz nixlib-59d61ef34aae47f9fae53c4a10cc9bc1b19a6db1.tar.zst nixlib-59d61ef34aae47f9fae53c4a10cc9bc1b19a6db1.zip |
Revert "nixpkgs: allow packages to be marked insecure"
Diffstat (limited to 'pkgs/stdenv')
-rw-r--r-- | pkgs/stdenv/generic/default.nix | 72 |
1 files changed, 12 insertions, 60 deletions
diff --git a/pkgs/stdenv/generic/default.nix b/pkgs/stdenv/generic/default.nix index cb94db48f4bd..34ba2fd8dd9c 100644 --- a/pkgs/stdenv/generic/default.nix +++ b/pkgs/stdenv/generic/default.nix @@ -75,14 +75,6 @@ let isUnfree (lib.lists.toList attrs.meta.license) && !allowUnfreePredicate attrs; - allowInsecureDefaultPredicate = x: builtins.elem x.name (config.permittedInsecurePackages or []); - allowInsecurePredicate = x: (config.allowUnfreePredicate or allowInsecureDefaultPredicate) x; - - hasAllowedInsecure = attrs: - (attrs.meta.knownVulnerabilities or []) == [] || - allowInsecurePredicate attrs || - builtins.getEnv "NIXPKGS_ALLOW_INSECURE" == "1"; - showLicense = license: license.shortName or "unknown"; defaultNativeBuildInputs = extraBuildInputs ++ @@ -145,62 +137,24 @@ let builtins.unsafeGetAttrPos "name" attrs; pos'' = if pos' != null then "‘" + pos'.file + ":" + toString pos'.line + "’" else "«unknown-file»"; + throwEvalHelp = { reason, errormsg }: + # uppercase the first character of string s + let up = s: with lib; + (toUpper (substring 0 1 s)) + (substring 1 (stringLength s) s); + in + assert builtins.elem reason ["unfree" "broken" "blacklisted"]; + + throw ("Package ‘${attrs.name or "«name-missing»"}’ in ${pos''} ${errormsg}, refusing to evaluate." + + (lib.strings.optionalString (reason != "blacklisted") '' - remediation = { - unfree = remediate_whitelist "Unfree"; - broken = remediate_whitelist "Broken"; - blacklisted = x: ""; - insecure = remediate_insecure; - }; - remediate_whitelist = allow_attr: attrs: - '' a) For `nixos-rebuild` you can set - { nixpkgs.config.allow${allow_attr} = true; } + { nixpkgs.config.allow${up reason} = true; } in configuration.nix to override this. b) For `nix-env`, `nix-build`, `nix-shell` or any other Nix command you can add - { allow${allow_attr} = true; } + { allow${up reason} = true; } to ~/.config/nixpkgs/config.nix. - ''; - - remediate_insecure = attrs: - '' - - Known issues: - - '' + (lib.fold (issue: default: "${default} - ${issue}\n") "" attrs.meta.knownVulnerabilities) + '' - - You can install it anyway by whitelisting this package, using the - following methods: - - a) for `nixos-rebuild` you can add ‘${attrs.name or "«name-missing»"}’ to - `nixpkgs.config.permittedInsecurePackages` in the configuration.nix, - like so: - - { - nixpkgs.config.permittedInsecurePackages = [ - "${attrs.name or "«name-missing»"}" - ]; - } - - b) For `nix-env`, `nix-build`, `nix-shell` or any other Nix command you can add - ‘${attrs.name or "«name-missing»"}’ to `permittedInsecurePackages` in - ~/.config/nixpkgs/config.nix, like so: - - { - permittedInsecurePackages = [ - "${attrs.name or "«name-missing»"}" - ]; - } - - ''; - - - throwEvalHelp = { reason , errormsg ? "" }: - throw ('' - Package ‘${attrs.name or "«name-missing»"}’ in ${pos''} ${errormsg}, refusing to evaluate. - - '' + ((builtins.getAttr reason remediation) attrs)); + '')); # Check if a derivation is valid, that is whether it passes checks for # e.g brokenness or license. @@ -217,8 +171,6 @@ let { valid = false; reason = "broken"; errormsg = "is marked as broken"; } else if !allowBroken && attrs.meta.platforms or null != null && !lib.lists.elem result.system attrs.meta.platforms then { valid = false; reason = "broken"; errormsg = "is not supported on ‘${result.system}’"; } - else if !(hasAllowedInsecure attrs) then - { valid = false; reason = "insecure"; errormsg = "is marked as insecure"; } else { valid = true; }; outputs' = |