| Commit message (Collapse) | Author | Age |
|
|
|
|
| |
This is based on a prototype Nicolas B. Pierron worked on during a
discussion we had at FOSDEM.
|
| |
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
If a package's meta has `knownVulnerabilities`, like so:
stdenv.mkDerivation {
name = "foobar-1.2.3";
...
meta.knownVulnerabilities = [
"CVE-0000-00000: remote code execution"
"CVE-0000-00001: local privilege escalation"
];
}
and a user attempts to install the package, they will be greeted with
a warning indicating that maybe they don't want to install it:
error: Package ‘foobar-1.2.3’ in ‘...default.nix:20’ is marked as insecure, refusing to evaluate.
Known issues:
- CVE-0000-00000: remote code execution
- CVE-0000-00001: local privilege escalation
You can install it anyway by whitelisting this package, using the
following methods:
a) for `nixos-rebuild` you can add ‘foobar-1.2.3’ to
`nixpkgs.config.permittedInsecurePackages` in the configuration.nix,
like so:
{
nixpkgs.config.permittedInsecurePackages = [
"foobar-1.2.3"
];
}
b) For `nix-env`, `nix-build`, `nix-shell` or any other Nix command you can add
‘foobar-1.2.3’ to `permittedInsecurePackages` in
~/.config/nixpkgs/config.nix, like so:
{
permittedInsecurePackages = [
"foobar-1.2.3"
];
}
Adding either of these configurations will permit this specific
version to be installed. A third option also exists:
NIXPKGS_ALLOW_INSECURE=1 nix-build ...
though I specifically avoided having a global file-based toggle to
disable this check. This way, users don't disable it once in order to
get a single package, and then don't realize future packages are
insecure.
|
| |
|
| |
|
|
|
|
| |
This reverts commit d0a086770a1be8c1f3175c195587052c5a5bfe1c.
|
|\
| |
| | |
nix-daemon: default useSandbox to true
|
| | |
|
| | |
|
|\| |
|
| | |
|
| |
| |
| |
| |
| | |
I encountered no problems with it. Nvidia binary drivers are tested,
and AMD ones now both set `abiCompat` to use older server versions.
|
| | |
|
| | |
|
| | |
|
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
From Postfix documentation:
With this setting, the Postfix SMTP server will not reject mail with "User
unknown in local recipient table". Don't do this on systems that receive mail
directly from the Internet. With today's worms and viruses, Postfix will become
a backscatter source: it accepts mail for non-existent recipients and then
tries to return that mail as "undeliverable" to the often forged sender
address.
|
|\| |
|
| |
| |
| |
| | |
`pythonPackages.ansible_2_2` is now the default `ansible`.
|
| | |
|
|\| |
|
| | |
|
| | |
|
| |
| |
| | |
Thanks to @teh for reporting this issue on the pull request.
|
| | |
|
| | |
|
| |
| |
| |
| | |
example of how to convert overridePackages usage.
|
| | |
|
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
This patch add a new argument to Nixpkgs default expression named "overlays".
By default, the value of the argument is either taken from the environment variable `NIXPKGS_OVERLAYS`,
or from the directory `~/.nixpkgs/overlays/`. If the environment variable does not name a valid directory
then this mechanism would fallback on the home directory. If the home directory does not exists it will
fallback on an empty list of overlays.
The overlays directory should contain the list of extra Nixpkgs stages which would be used to extend the
content of Nixpkgs, with additional set of packages. The overlays, i-e directory, files, symbolic links
are used in alphabetical order.
The simplest overlay which extends Nixpkgs with nothing looks like:
```nix
self: super: {
}
```
More refined overlays can use `super` as the basis for building new packages, and `self` as a way to query
the final result of the fix-point.
An example of overlay which extends Nixpkgs with a small set of packages can be found at:
https://github.com/nbp/nixpkgs-mozilla/blob/nixpkgs-overlay/moz-overlay.nix
To use this file, checkout the repository and add a symbolic link to
the `moz-overlay.nix` file in `~/.nixpkgs/overlays` directory.
|
| |
| |
| |
| | |
Document breaking change in 17.03 release notes
|
|/ |
|
|
|
|
| |
/cc #21257.
|
| |
|
|
|
|
|
| |
Old configuration format is disabled now (it can still be used, but with
additional steps). This is a backwards incompatible change.
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
Commits
351d12437 ("nixos/release-notes: PHP config-file-scan-dir /etc -> /etc/php.d")
41c8aa8d6 ("php: change config-file-scan-dir from /etc to /etc/php.d")
were merged to master _after_ NixOS 16.09. Commit 351d12437 then wrongly
updated the NixSO 16.09 release notes. Fix by moving the entry to NixOS
17.03.
|
|
|
|
| |
/cc #19324.
|
|
|
|
|
|
|
|
|
|
| |
`stripHash` documentation states that it prints out the stripped name to
the stdout, but the function stored the value in `strippedName`
instead.
Basically all usages did something like
`$(stripHash $foo | echo $strippedName)` which is just braindamaged.
Fixed the implementation and all invocations.
|
|\
| |
| | |
php: change config-file-scan-dir from /etc to /etc/php.d
|
| | |
|
| | |
|
| |
| |
| |
| | |
This patch closes https://github.com/NixOS/nixpkgs/issues/14897.
|
| |
| |
| |
| |
| | |
(cherry picked from commit 51cf16f4b4281edb788c1097d18201a86656be4d)
Signed-off-by: Domen Kožar <domen@dev.si>
|
| |
| |
| |
| |
| | |
(cherry picked from commit 14c16f2fdb41794e7b9eeb9ab52137c1edbe3471)
Signed-off-by: Domen Kožar <domen@dev.si>
|
| |
| |
| |
| |
| | |
(cherry picked from commit 1eaad0150c13efe0c0912f29143983067194f0ee)
Signed-off-by: Domen Kožar <domen@dev.si>
|
| |
| |
| |
| |
| | |
(cherry picked from commit b3a5bc5f577824229f43539f3035014ed6fdc8a2)
Signed-off-by: Domen Kožar <domen@dev.si>
|
| |
| |
| |
| |
| | |
(cherry picked from commit e293a85e24e8a9029c2ca5ce9187607f25a1a108)
Signed-off-by: Domen Kožar <domen@dev.si>
|
| |
| |
| |
| |
| | |
(cherry picked from commit 1ff2b10f282d7ae694b70b713cfefcdee467f873)
Signed-off-by: Domen Kožar <domen@dev.si>
|
| | |
|
| |
| |
| |
| |
| | |
Since this is an application it is not suitable for pythonPackages,
which is more appropriate for Python modules.
|